b"United States Department of Agriculture\nOffice of Inspector General\n\n\n\n\nU.S. Department of Agriculture, Office of\nthe Chief Information Officer, Fiscal Year\n2011 Federal Information Security\nManagement Act\n\n\n\n\n                                          Audit Report 50501-0002-12\n                                          November 2011\n\x0c                                  U.S. Department of Agriculture\n                                   Office of Inspector General\n                                     Washington, D.C. 20250\n\n\n\n\nDATE:          November 15, 2011\n\nThe Honorable Jacob Lew\nDirector\nOffice of Management and Budget\nEisenhower Executive Office Building\n17th Street Pennsylvania Avenue NW\nWashington, D.C. 20503\n\nSUBJECT:       U.S. Department of Agriculture, Office of the Chief Information Officer,\n               Fiscal Year 2011 Federal Information Security Management Act Report\n               (Audit Report 50501-0002-12)\n\nThis report presents the results of our audits of the Department of Agriculture\xe2\x80\x99s (USDA) efforts\nto improve the management and security of its information technology (IT) resources. USDA\nand its agencies have taken actions to improve the security over their IT resources; however,\nadditional actions are still needed to establish an effective security program.\n\nSincerely,\n\n\n\n\nPhyllis K. Fong\nInspector General\n\x0c\x0cTable of Contents\n\nExecutive Summary .................................................................................................1\nRecommendation Summary....................................................................................8\nBackground & Objectives .....................................................................................10\nBackground.............................................................................................................10\nObjectives ................................................................................................................11\nScope and Methodology.........................................................................................12\nAbbreviations .........................................................................................................14\nExhibit A: Office of Management and Budget (OMB)/Department of\nHomeland Security (DHS) Reporting Requirements and U. S. Department of\nAgriculture (USDA) Office of Inspector General (OIG) Position .....................16\nExhibit B: Sampling Methodology and Projections: Audit Number 50501-\n0002-12 FISMA FY2011 ........................................................................................55\n\x0c\x0cU. S. Department of Agriculture, Office of the Chief Information\nOfficer, Fiscal Year 2011 Federal Information Security Management\nAct (FISMA) (Audit Report 50501-0002-12)\n\nExecutive Summary\n\nThe Department of Agriculture (USDA) has made improvements in its information technology\n(IT) security over the last decade, but many longstanding weaknesses remain. In our Federal\nInformation Security Management Act (FISMA) audits for fiscal years (FY) 2009 and 2010,\nOffice of Inspector General (OIG) made 33 recommendations for improving the overall security\nof USDA\xe2\x80\x99s systems. By the end of FY 2011, the Department had adequately remediated and\nclosed only 6 recommendations, leaving 27 to be addressed. OIG has reported on many of these\nremaining recommendations since 2001 when we first detailed material weaknesses in the design\nand effectiveness of USDA\xe2\x80\x99s overall IT security program.\n\nUSDA is a large, complex organization that includes 33 separate agencies and staff offices, most\nwith their own IT infrastructure. In 2009, in order to mitigate continuing material weaknesses,\nwe reported that the Department should concentrate its efforts on a limited number of priorities\ninstead of attempting to achieve numerous goals simultaneously in short timeframes. We\nrecommended that USDA and its agencies work together to define and accomplish one or two\ncritical objectives before proceeding to the next set of priorities. During FY 2011, we observed\nincreased evidence of coordination, but the Department was not making measurable progress in\napproaching this problem collaboratively. For example, during FYs 2010 and 2011, the Office\nof the Chief Information Officer (OCIO) received increased budgetary authority to enhance\nUSDA\xe2\x80\x99s IT security. The Department funded 14 separate projects with none of these projects\nbeing fully implemented during FY 2011; instead, funding was cut and nearly all of the projects\nwere significantly scaled back, pushing implementation dates further into the future.1 USDA\nneeds to undertake a manageable number of its highest priority projects and it needs to show\nmeasureable progress towards the milestones for each active project. USDA\xe2\x80\x99s inability to\ncomplete projects in a timely manner continues to hinder its progress towards improving its\nsecurity posture.\n\nWe acknowledge, though, that USDA has made progress through FY 2011 in several key areas;\nincluding system security documentation. The Department improved the overall quality of this\ndocumentation by issuing detailed guidance, strengthening its quality review process for\nreviewing that documentation, and ensuring more consistent formatting and recording when it\nupdates that guidance. USDA also finished deploying a suite of network monitoring and\ndetection tools, which should further enhance the security of its networks. The suite is an\nintegrated security solution that provides the foundation for enterprise-wide security monitoring,\n\n\n\n1\n We based this project count on information provided by the OCIO as part of a document request pertaining to\naudit: U.S. Department of Agriculture (USDA) Audit of the Chief Information Officer\xe2\x80\x99s FY 2010 Appropriations\n(Audit 88401-0001-12).\n\n\n                                                                       AUDIT REPORT 50501-0002-12              1\n\x0cdetection, and protection. Once USDA deploys adequate resources to properly configure and\ncompletely monitor these tools, the Department\xe2\x80\x99s security posture should greatly improve.\n\nIn addition, USDA has made progress in improving its identity and access management program\nby developing a system that, once completed, will integrate human resource systems, logical\naccess security, and physical access security.2 Currently, the system is integrated3 with 425 of\n467 Department web applications\xe2\x80\x94further integration is in development.4 The incident response\nand reporting documentation and tracking process also improved between our FY 2010 and\nFY 2011 FISMA audits. The Department decreased its error rate from 100 percent in FY 2010\nto 44 percent in FY 2011 through increased adherence to documented procedures. This\nimprovement is especially remarkable because OCIO personnel stated the incident response and\nreporting division\xe2\x80\x99s staff decreased from 13 to 6 full-time employees due to a reduced FY 2011\nbudget.\n\nThis report constitutes OIG\xe2\x80\x99s independent evaluation of the Department\xe2\x80\x99s IT security program\nand practices, as required by FISMA. OIG\xe2\x80\x99s review is based on the questions provided by the\nOffice of Management and Budget (OMB)/Department of Homeland Security (DHS) for the\nFY 2011 FISMA review. These questions are designed to assess the status of the Department\xe2\x80\x99s\nsecurity posture during FY 2011. For the FISMA review, OMB/DHS\xe2\x80\x99s framework requires OIG\nto audit processes, policies, and procedures that had already been implemented and documented,\nand were being monitored during FY 2011. While USDA\xe2\x80\x99s planned activities may improve its\nsecurity posture in the future, we could not evaluate these initiatives as part of our FY 2011\nFISMA review because they were not fully operational during the year.\n\nThe following summarizes the key matters discussed in exhibit A of this report, which contains\nOIG\xe2\x80\x99s responses to OMB/DHS\xe2\x80\x99 questions. These questions were defined in OMB Memorandum\nM-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management (September 14, 2011) and DHS Federal Information Security\nMemorandum 11-02, FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management (August 24, 2011). The universe of systems\nand agencies reviewed varied during each audit or review reflected in this report.\n\n\n\n\n2\n  NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems\n(September 1996) states logical access is the ability to explicitly enable or restrict access. Logical access controls\ncan prescribe not only who or what is to have access to a specific system resource but also the type of access that is\npermitted.\n3\n  Integration is the merging of web applications with functions of the identity, credential, and access management\nsystem such as using a single access credential. This integration allows centralized account access rights and\nprivileges to be monitored and tracked.\n4\n  There can be multiple applications per system. Even though there are only 257 USDA systems, the number of\napplications running on those systems is greater.\n\n2     AUDIT REPORT 50501-0002-12\n\x0cTo address the FISMA metrics, OIG reviewed systems and agencies, OIG independent\ncontractor audits, annual agency self-assessments, and various OIG audits throughout the year.5\nSince the scope of each review and audit differed, we could not use every review or audit to\naddress each question.\n\nAgency officials are responsible for ensuring all systems meet Federal and Departmental\nrequirements and documenting agency compliance in the Cyber Security Assessment and\nManagement (CSAM) system.6 OCIO is responsible for ensuring that agencies are compliant\nwith Federal and Departmental guidance and are reporting aggregate results during the annual\nFISMA reporting cycle. The Risk Management Framework (RMF) is a new publication by the\nNational Institute of Standards and Technology (NIST). The publication promulgates a common\nframework which is intended to improve information security, strengthen risk management, and\nencourage reciprocity between Federal agencies.7 The publication transforms the traditional\nCertification and Accreditation (C&A) process into a six-step RMF process.8 Although the\nprocess has changed, we continue to find:\n\n    \xc2\xb7    USDA does not have a RMF policy or fully developed procedures. According to the\n         Department, this occurred because the governance team which was overseeing RMF was\n         disbanded due to budget cuts. As a result, USDA cannot ensure that it has a\n         consistent and effective approach to risk management that applies to all risk management\n         processes and procedures. However, in August 2011, USDA did issue a guide that\n         addresses parts of the six-step RMF process. The guide also clarifies the steps necessary\n         to complete the C&A process. Agencies are required to submit their system C&A\n         packages and all supporting documents to the Department for an indepth review (i.e., a\n         concurrency review). During this review, USDA ensures that the documentation\n         prepared to support system accreditation is complete, accurate, reliable, and meets NIST\n         and other mandated standards.9\n\n5\n  Agency annual self-assessments derive from OMB Circular A-123, which defines Management\xe2\x80\x99s Responsibilities\nfor Internal Control in Federal agencies (December 21, 2004). The circular requires agency\xe2\x80\x99s management to\nannually provide assurances on internal control in Performance and Accountability Reports. During annual\nassessments, agencies take measures to develop, implement, assess, and report on internal controls, and take action\non needed improvements.\n6\n  CSAM is a comprehensive system developed by the Department of Justice, which can facilitate achieving FISMA\ncompliance. CSAM provides a vehicle for the Department, agencies, system owners, and security staff to:\n(1) manage system inventory, interfaces, and related system security threats and risks; (2) enter system security data\ninto a single repository to ensure all system security factors are adequately addressed; (3) prepare annual system\nsecurity documents, such as security plans, risk analyses, and internal security control assessments; and (4) generate\ncustom and predefined system security status reports to effectively and efficiently monitor each agency\xe2\x80\x99s security\nposture and FISMA compliance. This includes agency-owned systems as well as those operated by contractors on\nthe agency\xe2\x80\x99s behalf.\n7\n  NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to\nFederal Information Systems (February 2010), was developed by the Joint Task Force Transformation Initiative\nWorking Group.\n8\n  C&A is a process mandated by OMB Circular A-130, Appendix III, Security of Federal Automated Information\nResources (November 28, 2000). The process requires that IT system controls be documented and tested by\ntechnical personnel and that the system be given formal authority to operate by an agency official.\n9\n  Security accreditation is the official management decision given by a senior agency official to authorize operation\nof an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based\non the implementation of agreed-upon security controls.\n\n                                                                           AUDIT REPORT 50501-0002-12                3\n\x0c     \xc2\xb7    Overall, we found that the C&A process improved. USDA completed its indepth\n          document reviews and appropriately returned C&As to agencies that did not meet NIST\n          requirements. However, we did find that improvements are still needed. Specifically, the\n          following C&A documentation did not meet NIST requirements: (1) systems were not\n          properly categorized; (2) risk assessments did not adequately substantiate testing;\n          (3) system security plan (SSP) controls were not implemented properly and did not\n          sufficiently address each control; and (4) security assessment reports did not provide\n          evidence to show that controls had been tested. As a result, USDA cannot be assured that\n          all system controls had been documented and tested, and that systems were operating at\n          an acceptable level of risk.\n\n     \xc2\xb7    Additionally, we found 15 of 55 systems were not recertified as required in FY 2011.10\n          This occurred because agencies had not submitted documents for recertification. As a\n          result, these systems are operational but without proper certification, which leaves the\n          agencies and the Department vulnerable because the systems have not been through\n          proper testing.\n\nUSDA has established and is maintaining a security configuration management program, but\nfurther improvements are needed. Specifically, we found that the Department has established\nadequate policy and issued a memo stating that USDA will use the Federal standard baseline\nconfigurations for operating systems. However, agencies have not completely scanned their\nnetworks, corrected critical and high-risk vulnerabilities, or followed established baselines when\nconfiguring servers. For example, our review found that over 45 percent of the Department\xe2\x80\x99s\nWindows 2003 server configuration settings did not comply with current Federal guidelines.11\nWe also found that one agency was not scanning over 1,600 machines on a monthly basis as\nrequired by Departmental guidance.12 This occurred because the network and security groups\nwere not communicating.13\n\nAlthough USDA\xe2\x80\x99s incident handling has improved, we continue to find that the Department is\nnot consistently following its own policy and procedures in regard to incident response and\nreporting. Our statistical review determined that 29 of 66 incidents that occurred during the year\nwere not handled in accordance with Departmental procedures.14 Additionally, our review\n\n\n10\n   Security certification is a comprehensive assessment of the management, operational, and technical security\ncontrols in an information system, which are made in support of security accreditation to determine the extent to\nwhich the controls are implemented correctly, operating as intended, and producing the desired outcome with\nrespect to meeting the security requirements for the system. Recertification is required periodically or as part of a\ncontinuous monitoring program.\n11\n   Defense Information Systems Agency, Windows 2003 Security Technical Implementation Guide Overview\n(August 27, 2010). The NIST site incorporates checklists from various Federal entities including the Department of\nDefense.\n12\n   USDA Departmental Manual (DM) 3530-001, USDA Vulnerability Scan Procedures (July 20, 2005).\n13\n   NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and\nOrganizations (August 2009).\n14\n   Agriculture Security Operations Center (ASOC) Computer Incident Response Team (CIRT), Standard Operating\nProcedures for Reporting Security and Personally Identifiable Information Incidents, SOP-ASOC-001\n(June 9, 2009).\n\n4        AUDIT REPORT 50501-0002-12\n\x0cdetermined that the Department has insufficient incident detection and monitoring coverage.\nFrom September 2010 through April 2011, USDA installed an incident detection toolkit, which\nalerts the Department to potential cyber-related incidents. During FY 2011, USDA had three\nemployees who were responsible for monitoring the daily data, calibrating security tools, and\nanalyzing incidents. The employees were able to analyze and process approximately\n15 incidents per week. However, the Department stated that, with the appropriate resources, it\nwould have been able to process up to 150 incidents per week. NIST SP 800-53 requires the\norganization to report suspected security incidents and related information to appropriate\norganizational authorities. USDA has assigned this responsibility to the Agriculture Security\nOperations Center (ASOC). According to the Department, it was aware of the up to 150 weekly\nsecurity-related incidents and that it did not have sufficient resources to investigate or report the\nmajority of them.\n\nDepartment policy met all NIST SP 800-53 requirements for annual security awareness\ntraining.15 However, USDA lacks policy and procedures to govern specialized security training\nfor personnel with significant information security responsibilities. In addition, we found that\nnot all personnel received the required annual security awareness training and specialized\nsecurity awareness training.16 Specifically, of the three agencies reviewed, we did not find\nevidence that 1,383 of 10,904 users with login privileges had completed their annual security\nawareness training. We also found that 4 of 33 users identified as requiring specialized security\ntraining did not have documented proof that they received the training during FY 2011. As a\nresult, USDA IT systems bear an increased risk of being compromised because users are allowed\naccess to Department and agency information systems without the required training.\n\nUSDA did not have effective policy and procedures for reporting IT security deficiencies in\nCSAM. We found that plans of action and milestones (POA&Ms) did not include all known\nsecurity weaknesses.17 For example, the Department requires an agency to create a POA&M\nwhen an identified vulnerability cannot be remediated within 30 days. 18 However, our testing at\n3 agencies showed 1,224 vulnerabilities that were over 30 days old without POA&Ms. In\naddition, our review of POA&Ms within CSAM found that agencies were not tracking the source\n(e.g., program review, Inspector General (IG) audit, etc.) of the security weaknesses as required\nby OMB.19 Specifically, we found that 721 POA&Ms (34.4 percent of the total POA&Ms in\n\n\n15\n   DM 3545-001, Computer Security Training and Awareness (February 17, 2005).\n16\n   NIST SP 800-53 requires organizations to provide basic security awareness training to all users. Additionally, it\nrequires organizations to provide role-based specialized security training related to specific roles and responsibilities\nfor: information system managers, system and network administrators, personnel performing independent\nverification and validation activities, security control assessors, and other personnel having access to system-level\nsoftware. Organizations are to determine the appropriate content of security training and the specific requirements\nof the organization and the information systems to which personnel have authorized access.\n17\n   A POA&M is a tool that identifies tasks needing to be accomplished to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. It details resources required to accomplish the elements of the plan, milestones for meeting the task, and\nscheduled completion dates for the milestones. The goal of a POA&M should be to reduce the risk of the weakness\nidentified.\n18\n   Plan of Action and Milestones Management Standard Operating Procedures, CPO-SOP 002 (June 29, 2011).\n19\n   OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\nAct (August 23, 2004).\n\n                                                                            AUDIT REPORT 50501-0002-12                 5\n\x0cFY 2011) did not track the source of security weaknesses. We also found 674 of 1,774\nPOA&Ms had an associated cost of zero dollars to remediate the identified weakness, instead of\nthe necessary amount to remediate the weakness as required by OMB M-04-25 guidance.\nAdditionally, we noted that the Department is not tracking and reviewing POA&Ms as required\nby the Department\xe2\x80\x99s standard operating procedures (SOP). Finally, we were unable to verify\nthat the Department completed the required reviews of closed POA&Ms in FY 2011 because\nthere was inaccurate or inconsistent evidence supporting the reviews.\n\nUSDA\xe2\x80\x99s remote access program needs significant improvements. Our review identified policy\nthat did not meet NIST requirements.20 The Department stated that procedures were the\nresponsibility of the agencies, but we found that five of seven agencies reviewed by independent\ncontractors did not consistently implement remote access procedures. In addition, we found\nagencies did not follow the policy that did exist. For example, USDA requires multi-factor\nauthentication for all remote access (i.e., two means of identification).21 However, we found that\n8 of 10 agencies (reviewed by OIG, independent contractors, and agency annual self-\nassessments) did not have multi-factor authentication properly implemented for remote access.\nIn addition, we found that agencies were not adequately encrypting laptop devices. For example,\none agency had failed to encrypt 341 laptop devices because procedures were inadequate to\nensure this was done for newly deployed hardware.\n\nUSDA developed an account and identity management policy, but it was not sufficiently detailed\nor consistently implemented.22 In particular, the Department\xe2\x80\x99s policy did not fully meet\nNIST SP 800-53 requirements; the Department procedures for managing accounts were not fully\ndeveloped; and agencies had not implemented account management with the proper security\nsettings.23 The policy is in draft and the Department will begin developing the procedures next.\nAs a result of the inadequate policy and procedures, agencies failed to consistently implement\nsecurity settings. For example, we found former employees with active accounts, users with\nexcessively elevated account privileges, and administrator accounts that did not follow the\nprinciple of granting the fewest privileges necessary for users to perform their work. Agencies\nhave documented procedures, but are failing to follow them.\n\nUSDA has established an enterprise-wide continuous monitoring program that assesses the\nsecurity state of information systems, but the Department needs to make significant\nimprovements. Specifically, we found that USDA had not fully developed a strategy or plan for\nenterprise-wide continuous monitoring, and that ongoing assessments of security controls had\nnot been performed. The Department\xe2\x80\x99s continuous monitoring policy is currently in draft and is\nexpected to be released in December 2011. In addition, we found 48 of 257 systems where\n\n20\n   NIST SP 800-46, Revision 1, Guide to Enterprise Telework and Remote Access Security (June 2009).\n21\n   USDA Departmental Regulation (DR) 3505-003, Access Control Policy (August 11, 2009). Multi-factor\nauthentication is a security process in which the user provides two means of identification, one of which is typically\na physical token, such as a card, and the other is typically something memorized, such as a security code. In this\ncontext, the two factors involved are sometimes spoken of as \xe2\x80\x9c\xe2\x80\x98something you have\xe2\x80\x99 and \xe2\x80\x98something you know.\xe2\x80\x99\xe2\x80\x9d\n22\n   DR 3505-003, Access Control Policy (August 11, 2009); DR 3180-001, Information Technology Network\nStandards (September 30, 2008); and DM 3535-001, USDA's C2 Level of Trust (February 2005).\n23\n   USDA Identity, Credential and Access Management (ICAM) Identity Lifecycle Management Handbook\n(June 2011).\n\n\n6     AUDIT REPORT 50501-0002-12\n\x0congoing assessments of selected security controls had not been performed in FY 2011 as\nrequired by NIST SP 800-53. The Department stated that it lacks the resources to implement\nrobust, enterprise-wide continuous monitoring capabilities. As a result, the Department cannot\neffectively detect compliance and determine if implemented security controls within an\ninformation system are effective.\n\nUSDA has established and is maintaining an enterprise-wide business continuity/disaster\nrecovery program, but it needs to make significant improvements. Specifically, the Department's\ncontingency policy and procedures did not meet NIST 800-53 requirements because they have\nnot been updated to include the new elements.24 We found the template provided by the\nDepartment to the agencies for contingency planning purposes did not contain all of NIST\xe2\x80\x99s\nrequired elements.25 We also found that contingency plans were incomplete. Based on our\nsample results for 3 agencies, we estimate that 22 systems (about 59 percent) had missing or\nincomplete contingency plans.26 In addition, we identified 33 of 257 systems for which USDA\nsystem contingency plans were not tested during FY 2011.\n\nUSDA did not have policy and procedures to oversee systems that contractors or other entities\noperated on agencies\xe2\x80\x99 behalf. During our FY 2009 FISMA audit, we identified systems that\nshould have been designated as contractor systems. In response, the Department stated that it\nwould review the systems and change the designation to contractor systems if appropriate. Due\nto the missing policy and procedures, we found seven systems were still not included in the\ninventory of contractor systems. FISMA requires USDA to maintain an inventory of its\ninformation systems that, among other information, identifies interfaces between each system\nand all other systems or networks, including those not operated by, or under the control of, the\nagency.27 During our review, we also found 18 of 18 systems had incorrectly reported their\ninterconnections to other systems. Additionally, OIG found that USDA\xe2\x80\x99s new cloud email\nservice was not included in the official Department inventory and was not designated as a\ncontractor system.28\n\nOur testing of USDA\xe2\x80\x99s capital planning process determined that the Department has established\nand maintains a security capital planning and investment program for information security. 29\nHowever, one exception was identified in the Departmental capital planning policy.30\nSpecifically, the policy lacked a description of what constitutes a \xe2\x80\x9cmajor IT investment\xe2\x80\x9d\naccording to the capital planning process.\n\n24\n   DM 3570-001, Disaster Recovery and Business Resumption Plans (February 17, 2005).\n25\n   USDA Contingency Plan template (March 2011).\n26\n   We are 95 percent confident that between 15 (40 percent) and 29 systems (78 percent) had missing or incomplete\ncontingency plans. Additional sample analysis information is presented in exhibit B.\n27\n   FISMA of 2002, Title III Information Security (December 17, 2002).\n28\n   Cloud computing is a model for enabling network access to a shared pool of computing resources that can be\nrapidly provisioned and released with minimal management effort or service provider interaction.\nNIST SP 800-145, The NIST Definition of Cloud Computing (September 2011).\n29\n   Capital planning and investment control (CPIC) is a systematic approach to selecting, managing, and evaluating\ninformation technology investments. CPIC is mandated by the Clinger Cohen Act of 1996 and requires Federal\nagencies to focus more on the results achieved through IT investments while streamlining the Federal IT\nprocurement process (www.ocio.usda.gov/cpic/index.html).\n30\n   DM 3560-000, CPIC for Security Table of Content (February 17, 2005) and DM 3560-001, Security Requirements\nfor CPIC (February 17, 2005).\n\n                                                                       AUDIT REPORT 50501-0002-12              7\n\x0cThe below recommendations are new for FY 2011. Because 27 recommendations from FY 2009\nand FY 2010 remain without final closure (or were closed improperly), we have not made any\nrepeat recommendations.31 However, OIG noted that 25 of those recommendations have\nexceeded their estimated completion date. If the plans initiated to close out the FY 2009 and\n2010 recommendations are no longer achievable due to budget cuts or other reasons, then OCIO\nneeds to update those closure plans and request a change in management decision per\nDepartmental guidance.32\n\nRecommendation Summary\n1. Develop and implement an effective plan to mitigate the IT material weaknesses within the\nDepartment in cooperation with the agencies. Ensure the plan includes prioritized tasks, defined\ngoals, and realistic timeframes. The Department and its agencies, working in cooperation,\nshould define and accomplish one or two critical objectives prior to proceeding on to the next set\nof priorities.\n\n2. Develop a Risk Management policy and associated procedures that fully comply with NIST.\n\n3. Develop monitoring procedures to verify that monthly vulnerability scans are completed as\nrequired by Departmental guidance.\n\n4. Develop monitoring procedures to verify that all Department and agency network devices are\nconfigured in accordance with NIST SP 800-53.\n\n5. Update the current incident response and reporting procedures to reflect current practices.\nAdditionally, the Department needs to allocate appropriate resources to the ASOC allowing it to\noperate effectively in mitigating cyber related incidents.\n\n6. Deploy adequate resources to monitor and configure new security tools and then adequately\nreport and close the related incidents.\n\n7. Develop monitoring procedures to appropriately report the status of USDA employees being\ntrained to meet their information security awareness needs.\n\n8. Actively manage the POA&M process, which includes tracking and reviewing POA&Ms in\naccordance with its recently issued SOP.\n\n\n\n\n31\n   We found that two recommendations were closed without final action truly being achieved. For example, the\nDepartment closed out the prior recommendation to prioritize and accomplish one or two tasks before moving\nforward with another task. However, as noted in this report, our review found that OCIO is still trying to\naccomplish many tasks simultaneously.\n32\n   USDA Departmental Regulation (DR) 1720-001, Audit Follow-up and Management Decision\n(November 2, 2011).\n\n\n8     AUDIT REPORT 50501-0002-12\n\x0c9. Update the contingency plan template to adequately address all NIST SP 800-34\nrequirements.\n\n10. Update USDA\xe2\x80\x99s Capital Planning policy to incorporate a definition of a \xe2\x80\x9cmajor IT\ninvestment\xe2\x80\x9d so that agencies have a documented description to use.\n\n\n\n\n                                                           AUDIT REPORT 50501-0002-12   9\n\x0cBackground & Objectives\n\nBackground\nImproving the overall management and security of IT resources needs to be a top priority for\nUSDA. Technology enhances users\xe2\x80\x99 ability to share information instantaneously among\ncomputers and networks, but it also makes organizations\xe2\x80\x99 networks and IT resources vulnerable\nto malicious activity and exploitation by internal and external sources. Insiders with malicious\nintent, recreational and institutional hackers, and attacks by foreign intelligence organizations are\na few of the threats to the Department\xe2\x80\x99s critical systems and data.\n\nOn December 17, 2002, the President signed into law the e-Government Act\n(Public Law 107-347), which includes Title III, FISMA. FISMA permanently reauthorized the\nframework established by the Government Information Security Reform Act (GISRA) of 2000,\nwhich expired in November 2002. FISMA continued the annual review and reporting\nrequirements introduced in GISRA, and also included new provisions that further strengthened\nthe Federal Government\xe2\x80\x99s data and information systems security, such as requiring the\ndevelopment of minimum control standards for agencies\xe2\x80\x99 systems. NIST was tasked to work\nwith agencies in developing those standards as part of its statutory role in providing technical\nguidance to Federal agencies.\n\nFISMA supplements the information security requirements established in the Computer Security\nAct of 1987, the Paperwork Reduction Act of 1995, and the Clinger-Cohen Act of 1996. FISMA\nconsolidated these separate requirements and guidance into an overall framework for managing\ninformation security. It established new annual reviews, independent evaluations, and reporting\nrequirements to ensure agencies implemented FISMA. It also established how OMB and\nCongress would oversee IT security.\n\nFISMA assigned specific responsibilities to OMB, agency heads, CIO, and IG. In OMB M-10-\n28, OMB transferred portions of those responsibilities to DHS. The memorandum clarified that\nOMB is responsible for establishing and overseeing policies, standards, and guidelines for\ninformation security. It further stated that DHS exercises primary responsibility within the\nexecutive branch for the operational aspects of Federal agency cybersecurity with respect to the\nFederal information systems that fall within FISMA. DHS was given broad implementation\nresponsibilities to include overseeing agencies\xe2\x80\x99 compliance with FISMA and developing\nanalyses for OMB to assist in the development of its annual FISMA report.\n\nEach agency must establish a risk-based information security program that ensures information\nsecurity is practiced throughout the lifecycle of each agency\xe2\x80\x99s system. Specifically, the agency\xe2\x80\x99s\nCIO is required to oversee the program, which must include:\n\n     \xc2\xb7   Periodic risk assessments that consider internal and external threats to the integrity,\n         confidentiality, and availability of systems and data supporting critical operations and\n         assets;\n\n\n\n10       AUDIT REPORT 50501-0002-12\n\x0c   \xc2\xb7   Development and implementation of risk-based, cost-effective policies and procedures to\n       provide security protections for the agency\xe2\x80\x99s information;\n   \xc2\xb7   Training that covers security responsibilities for information security personnel and\n       security awareness for agency personnel;\n   \xc2\xb7   Periodic management testing and evaluation of the effectiveness of security policies,\n       procedures, controls, and techniques;\n   \xc2\xb7   Processes for identifying and remediating significant security deficiencies;\n   \xc2\xb7   Procedures for detecting, reporting, and responding to security incidents; and\n   \xc2\xb7   Annual program reviews by agency officials.\n\nIn addition to the responsibilities listed above, FISMA requires each agency to have an annual\nindependent evaluation of its information security program and practices, including control\ntesting and compliance assessment. The evaluations are to be performed by the agency\xe2\x80\x99s IG or\nan independent evaluator, and the results of these evaluations are to be reported to OMB.\n\nObjectives\nThe objective of this audit was to evaluate the status of USDA\xe2\x80\x99s overall IT security program by\nevaluating the:\n\n   \xc2\xb7   Effectiveness of the Department\xe2\x80\x99s oversight of agencies\xe2\x80\x99 IT security programs, and\n       compliance with FISMA;\n   \xc2\xb7   Agencies\xe2\x80\x99 systems of internal controls over IT assets;\n   \xc2\xb7   Department\xe2\x80\x99s progress in establishing a Departmentwide security program, which\n       includes effective certifications and accreditations;\n   \xc2\xb7   Agencies\xe2\x80\x99 and the Department\xe2\x80\x99s POA&M consolidation and reporting process; and\n   \xc2\xb7   Effectiveness of controls over configuration management, incident response, IT training,\n       remote access management, identity and access management, continuous monitoring,\n       contingency planning, contractor systems, and capital planning.\n\n\n\n\n                                                           AUDIT REPORT 50501-0002-12        11\n\x0cScope and Methodology\nThe scope of our review was Departmentwide and included agency IT audit work completed\nduring FY 2011. We conducted this audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\nFieldwork for this audit was performed remotely at USDA locations throughout the continental\nUnited States from May 2011 through October 2011. In addition, this report incorporates audits\ndone throughout the year by OIG. Testing was conducted at offices in the Washington, D.C.\narea, and Kansas City, Missouri. Additionally, we included the results of IT control testing and\ncompliance with laws and regulations performed by contract auditors at seven additional USDA\nagencies. In total, our FY 2011 audit work covered 15 agencies and staff offices:\n\n     \xc2\xb7   Agricultural Marketing Service (AMS),\n     \xc2\xb7   Animal and Plant Health Inspection Service (APHIS),\n     \xc2\xb7   Departmental Management (DM),\n     \xc2\xb7   Food and Nutrition Service (FNS),\n     \xc2\xb7   Forest Service (FS),\n     \xc2\xb7   Farm Service Agency (FSA),\n     \xc2\xb7   Food Safety and Inspection Service (FSIS),\n     \xc2\xb7   National Agricultural Statistics Service (NASS),\n     \xc2\xb7   National Finance Center (NFC),\n     \xc2\xb7   National Institute of Food and Agriculture (NIFA),\n     \xc2\xb7   National Information Technology Center (NITC),\n     \xc2\xb7   Natural Resources Conservation Service (NRCS),\n     \xc2\xb7   Office of the Chief Information Officer (OCIO),\n     \xc2\xb7   Rural Development (RD), and\n     \xc2\xb7   Risk Management Agency (RMA).\n\nThese agencies and staff offices operate approximately 200 of the Department\xe2\x80\x99s estimated\n257 general support and major application systems.\n\nTo accomplish our audit objectives, we performed the following procedures:\n\n     \xc2\xb7   Consolidated the results and issues from our prior IT security audit work and the work\n         contractors performed on our behalf. Contractor audit work consisted primarily of audit\n         procedures found in the U.S. Government Accountability Office\xe2\x80\x99s (GAO) Financial\n         Information System Control Audit Manual;\n     \xc2\xb7   Evaluated the Department\xe2\x80\x99s progress in implementing recommendations to correct\n         material weaknesses identified in prior OIG and GAO audit reports;\n\n\n\n12       AUDIT REPORT 50501-0002-12\n\x0c   \xc2\xb7   Gathered the necessary information to address the specific reporting requirements\n       outlined in OMB M-11-33, FY 2011 Reporting Instructions for the Federal Information\n       Security Management Act and Agency Privacy Management (September 14, 2011);\n   \xc2\xb7   Performed detailed testing specific to FISMA requirements at selected agencies, as\n       detailed in this report; and\n   \xc2\xb7   Performed statistical sampling on testing where appropriate. Additional sample analysis\n       information is presented in exhibit B.\n\nTesting results were compared against NIST controls, OMB/DHS guidance, e-Government Act\nrequirements, and Departmental policies and procedures for compliance.\n\n\n\n\n                                                          AUDIT REPORT 50501-0002-12        13\n\x0cAbbreviations\nAMS............................ Agricultural Marketing Service\nAPHIS ......................... Animal and Plant Health Inspection Service\nASOC.......................... Agriculture Security Operations Center\nBIA.............................. Business Impact Analysis\nC&A............................ Certification and Accreditation\nCIRT ........................... Computer Incident Response Team\nCSAM ......................... Cyber Security Assessment and Management\nCIO.............................. Chief Information Officer\nCISO ........................... Chief Information Security Office\nCPIC............................ Capital Planning & Investment Control\nDHS............................. Department of Homeland Security\nDM .............................. Departmental Management or USDA Department Manual\nDR ............................... USDA Departmental Regulation\nDoD............................. Department of Defense\nFDCC .......................... Federal Desktop Core Configuration\nFIPS............................. Federal Information Processing Standard\nFISMA ........................ Federal Information Security Management Act of 2002\nFNS ............................. Food and Nutrition Service\nFS ................................ Forest Service\nFSA ............................. Farm Service Agency\nFSIS............................. Food Safety and Inspection Service\nFY ............................... Fiscal Year\nGAO............................ Government Accountability Office\nGISRA......................... Government Information Security Reform Act\nHSPD-12 ..................... Homeland Security Presidential Directive-12\nICAM .......................... Identity, Credential and Access Management\nIG ................................ Inspector General\nISA .............................. Interconnection Security Agreement\nIT................................. Information Technology\nMOU ........................... Memorandum of Understanding\nNASS .......................... National Agricultural Statistics Service\n\n14       AUDIT REPORT 50501-0002-12\n\x0cNCSD.......................... National Cyber Security Division\nNFC............................. National Finance Center\nNIFA ........................... National Institute of Food and Agriculture\nNIST............................ National Institute of Standards and Technology\nNITC ........................... National Information Technology Center\nNRCS .......................... Natural Resources Conservation Service\nOCIO........................... Office of the Chief Information Officer\nOIG ............................. Office of Inspector General\nOMB ........................... Office of Management and Budget\nPIV .............................. Personal Identify Verification\nPOA&M...................... Plan of Action and Milestones\nRD ............................... Rural Development\nRMA ........................... Risk Management Agency\nRMF ............................ Risk Management Framework\nSAR............................. Security Assessment Report\nSOP ............................. Standard Operating Procedures\nSP ................................ Special Publication\nSSP.............................. System Security Plan\nTT&E .......................... Test, Training, and Exercise\nUS-CERT.................... US-Computer Emergency Readiness Team\nUSDA.......................... Department of Agriculture\n\n\n\n\n                                                                    AUDIT REPORT 50501-0002-12   15\n\x0cExhibit A: Office of Management and Budget (OMB)/Department\nof Homeland Security (DHS) Reporting Requirements and U. S.\nDepartment of Agriculture (USDA) Office of Inspector General\n(OIG) Position\nOMB/DHS\xe2\x80\x99 questions are set apart by boldface in each section. OIG checks items on\nOMB/DHS\xe2\x80\x99 list, boldfacing and underlining the relevant text. We answer direct questions with\nTrue or False.\n\nThe universe of systems and agencies reviewed varied during each audit or review in this report.\nAs part of Federal Information Security Management Act (FISMA), OIG reviewed systems and\nagencies, audit work conducted for OIG by independent public accounting firm contractors,\nannual agency self-assessments, and various OIG audits conducted throughout the year. 33 Since\nthe scope of each review and audit differed, we could not use every review or audit to answer\neach question.\n\nThe audit team reviewed multiple areas of FISMA. We incorporated statistical sampling for four\nFISMA areas. Each of the four areas was represented by the relevant universe associated with it.\nThe specific designs are summarized in exhibit B.\n\n\nS1: Risk Management\nSection 1: Risk Management\n\nCheck one: (1.a, 1.b, or 1.c)\n\n1.a. The agency has established and is maintaining a risk management program that is\nconsistent with FISMA requirements, OMB policy, and applicable\nNational Institute of Standards and Technology (NIST) guidelines. Although improvement\nopportunities may have been identified by OIG, the program includes the following\nattributes:\n       1.a(1). Documented and centrally accessible policies and procedures for risk\n       management, including descriptions of the roles and responsibilities of participants\n       in this process.\n       1.a(2). Addresses risk from an organization perspective with the development of a\n       comprehensive governance structure and organization-wide risk management\n       strategy as described in NIST 800-37, Rev. 1.\n       1.a(3). Addresses risk from a mission and business process perspective and is\n       guided by the risk decisions at the organizational perspective, as described in\n\n33\n  Agency annual self-assessments are a result of OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal\nControl (December 21, 2004) which defines management\xe2\x80\x99s responsibility for internal controls in Federal agencies.\nThe Circular requires agencies\xe2\x80\x99 management to annually provide assurances on internal control in its Performance\nand Accountability Report. During the annual assessment, agencies take measures to develop, implement, assess,\nand report on internal control, and to take action on needed improvements.\n\n16      AUDIT REPORT 50501-0002-12\n\x0c       NIST 800-37, Revision 1.\n       1.a(4). Addresses risk from an information system perspective and is guided by the\n       risk decisions at the organizational perspective and the mission and business\n       perspective, as described in NIST 800-37, Rev. 1.\n       1.a(5). Categorizes information systems in accordance with government policies.\n       1.a(6). Selects an appropriately tailored set of baseline security controls.\n       1.a(7). Implements the tailored set of baseline security controls and describes how\n       the controls are employed within the information system and its environment of\n       operation.\n       1.a(8). Assesses the security controls using appropriate assessment procedures to\n       determine the extent to which the controls are implemented correctly, operating as\n       intended, and producing the desired outcome with respect to meeting the security\n       requirements for the system.\n       1.a(9). Authorizes information system operation based on a determination of the\n       risk to organizational operations and assets, individuals, other organizations, and\n       the Nation resulting from the operation of the information system and the decision\n       that this risk is acceptable.\n       1.a(10). Ensures information security controls are monitored on an ongoing basis,\n       including assessing control effectiveness, documenting changes to the system or its\n       environment of operation, conducting security impact analyses of the associated\n       changes, and reporting the security state of the system to designated organizational\n       officials.\n       1.a(11). Information system-specific risks (tactical), mission/business-specific risks\n       and organizational level (strategic) risks are communicated to appropriate levels of\n       the organization.\n       1.a(12). Senior officials are briefed on threat activity on a regular basis by\n       appropriate personnel. (e.g., CISO).\n       1.a(13). Prescribes the active involvement of information system owners and\n       common control providers, chief information officers, senior information security\n       officers, authorizing officials, and other roles as applicable in the ongoing\n       management of information system-related security risks.\n       1.a(14). Security authorization package contains system security plan, security\n       assessment report, and POA&M in accordance with government policies.\n\n1.b. The agency has established and is maintaining a risk management program.\nHowever, the agency needs to make significant improvements as noted below.\n\n1.c. The agency has not established a risk management program.\n\nIf 1.b. is checked above, check areas that need significant improvement:\n\n1.b(1). Risk management policy is not fully developed. True\n\nWe found the Department had not developed a risk management policy. According to the\nDepartment, this occurred because the governance team which was overseeing the risk\nmanagement framework (RMF) was disbanded due to budget cuts. As a result, USDA cannot\n\n\n                                                         AUDIT REPORT 50501-0002-12        17\n\x0censure that it had a consistent and effective approach to risk management that applies to all risk\nmanagement processes and procedures.\n\n1.b(2). Risk management procedures are not fully developed, sufficiently detailed\n(SP 800-37, SP 800-39, SP 800-53). True\n\nWe found that the Department did not have risk management procedures fully developed. As of\nAugust 8, 2011, the Department had a guide that addresses parts of the six-step RMF process.\nThe guide also clarifies the steps necessary to complete the C&A process. Agencies are required\nto submit their system C&A packages and all supporting documents to the Department for an\nindepth review (i.e., a concurrency review). During this review, USDA ensures that the\ndocumentation prepared to support system accreditation is complete, accurate, reliable, and\nmeets NIST and other mandated standards.34 According to the Department, the procedures were\nnot fully developed because the governance team which was overseeing the RMF was disbanded\ndue to budget cuts. As a result, the Department could not ensure that it had a consistent and\neffective approach to risk management that applies to all risk management processes and\nprocedures.\n\n1.b(3). Risk management procedures are not consistently implemented in accordance with\ngovernment policies (SP 800-37, SP 800-39, SP 800-53). True\n\nWe found that the Department did not fully develop risk management procedures (as stated in\n1.b(2)). Because of this, we could not verify that procedures were consistently implemented in\naccordance with government policies.\n\n1.b(4). A comprehensive governance structure and agency-wide risk management strategy\nhas not been fully developed in accordance with government policies (SP 800-37, SP 800-39,\nSP 800-53). True\n\nWe found that the Department did not have a comprehensive governance structure or a fully\ndeveloped agency-wide risk management strategy. Since the Department did not have a risk\nmanagement policy (as stated in 1.b(1)) or fully developed procedures (as stated in 1.b(2)), we\ncould not verify that a comprehensive governance structure and agency-wide risk management\nstrategy existed.\n\n1.b(5). Risks from a mission and business process perspective are not addressed\n(SP 800-37, SP 800-39, SP 800-53). True\n\nWe found the Department did not have a risk management policy that addressed the mission and\nbusiness process perspective. Since the Department did not have a risk management policy (as\nstated in 1.b(1)) or fully developed procedures (as stated in 1.b(2)), we could not verify that the\nrisks from a mission and business process perspective were addressed.\n\n34\n  Security accreditation is the official management decision made by a senior agency official to authorize operation\nof an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based\non the implementation of agreed-upon security controls.\n\n\n18      AUDIT REPORT 50501-0002-12\n\x0c1.b(6). Information systems are not properly categorized (FIPS 199/SP 800-60). True\n\nWe generated a report from Cyber Security Assessment and Management (CSAM), which\nidentified the categorization level for each of the Department\xe2\x80\x99s systems.35 The report included\nthe impact levels for confidentiality, integrity, and availability, which were categorized as high,\nmoderate, and low. We compared the generated report to the recommendations in\nNIST SP 800-60 and found that 15 of 257 systems indicated a lower categorization than was\nrecommended during the C&A process without adequate justification for the reduction in\ncategorization level.36 Therefore, systems were not properly categorized. NIST SP 800-60\nrequires that any adjustments to the recommended impact levels be documented and include\njustification for the adjustment. However, we found the provided justifications to be the same\nfor all 15 systems, though the purposes of the systems were very diverse.\n\n1.b(7). Appropriately tailored baseline security controls are not applied to information\nsystems in accordance with government policies (FIPS 200/SP 800-53). True\n\nNIST SP 800-53 recommends a set of minimum baseline security controls contingent upon the\nsystem\xe2\x80\x99s overall categorization.37 The lower the category, the fewer controls required.\nTherefore, the incorrect categorization noted in 1.b(6) led to inadequate controls being\nimplemented for those 15 systems. NIST SP 800-60 states that an incorrect information system\nimpact analysis could result in the agency either overprotecting the information system (thereby\nwasting valuable security resources) or under-protecting the information system (and placing\nimportant operations and assets at risk).\n\n1.b(8). Risk assessments are not conducted in accordance with government policies\n(SP 800-30). True\n\nThe risk assessments we reviewed were not conducted in accordance with Government policies.\nSpecifically, our review found 10 of 10 systems did not have sufficient documentation to\nsubstantiate the testing.38 Based on the statistical sample results, we estimate that none of the\n\n\n\n35\n   CSAM is a comprehensive system developed by the Department of Justice, which can help in achieving FISMA\ncompliance. CSAM provides a vehicle for the Department, agencies, system owners, and security staffs to (1)\nmanage their system inventory, interfaces, and related system security threats and risks; (2) enter system security\ndata into a single repository to ensure all system security factors are adequately addressed; (3) prepare annual system\nsecurity documents, such as security plans, risk analyses, and internal security control assessments; and (4) generate\ncustom and predefined system security status reports to effectively and efficiently monitor each agency\xe2\x80\x99s security\nposture and FISMA compliance. This includes agency-owned systems or those operated by contractors on the\nagency\xe2\x80\x99s behalf.\n36\n   NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories,\nVol. 1 (August 2008).\n37\n   NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3\n(August 2009).\n38\n   We selected a simple random sample of 25 systems for review, which would satisfy various possible\ncombinations of error rates, confidence levels, and tolerable error rates. We would consider stop-or-go if for a given\ncriterion there are zero plans with an exception after the first 15 plans are reviewed, or after the first 10 plans are\nreviewed, if all plans have an exception. Additional sample analysis information is presented in exhibit B.\n\n                                                                         AUDIT REPORT 50501-0002-12                19\n\x0c55 risk assessments were conducted in accordance with Government policies.39 This occurred\nbecause the system-generated documents that were being used did not encompass the primary\nsteps required by NIST SP 800-30.40 As a result, the Department could not ensure agencies were\nproperly managing their IT-related mission risks.\n\n1.b(9). Security control baselines are not appropriately tailored to individual information\nsystems in accordance with government policies (SP 800-53). True\n\nNIST SP 800-53 recommends a set of minimum baseline security controls based on the system\xe2\x80\x99s\noverall categorization. The lower the category, the fewer controls required. Therefore, the\nincorrect categorization noted in 1.b(6) led to inadequate controls being implemented for those\n15 systems. NIST SP 800-60 states that the value of information security categorizations is to\nenable agencies to proactively implement appropriate information security controls based on the\nassessed potential impact to information confidentiality, integrity, and availability.\n\n1.b(10). The communication of information system-specific risks, mission/business-specific\nrisks and organizational level (strategic) risks to appropriate levels of the organization is\nnot in accordance with government policies. False\n\nNo exception noted. We found the Department communicated information system-specific risks,\nmission/business-specific risks, and organizational level (strategic) risks to appropriate levels of\nthe organization in accordance with Government policies.\n\n1.b(11). The process to assess security control effectiveness is not in accordance with\ngovernment policies (SP 800-53A). False\n\nNo exception noted. We found that the Department had issued guidance to agencies on 33 key\ncontrols that should be tested annually.41\n\n1.b(12). The process to determine risk to agency operations, agency assets, individuals, or\nto authorize information systems to operate is not in accordance with government policies\n(SP 800-37). False\n\nNo exception noted. We found the Department had a process to determine the risk to agency\noperations, agency assets, and individuals, or to authorize information systems to operate.\n\n\n\n\n39\n   We are 95 percent confident that at least 76.3 percent of the risk assessments in our audit universe were not\nconducted in accordance with Government policies. Additional sample analysis information is presented in exhibit\nB.\n40\n   NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002).\n41\n   OCIO established a working group to help select financially significant, key system, and common controls for the\nDepartment for annual testing. Security controls were selected from the 17 control families of NIST SP 800-53,\nRev. 3.\n\n\n20      AUDIT REPORT 50501-0002-12\n\x0c1.b(13). The process to continuously monitor changes to information systems that may\nnecessitate reassessment of control effectiveness is not in accordance with government\npolicies (SP 800-37). True\n\nNIST SP 800-53 states that the organization will assess the security controls in an information\nsystem as part of the testing/evaluation process. However, we identified 48 of 257 systems\nwhere ongoing assessments of selected security controls had not been performed in FY 2011.\n\n1.b(14). Security plan is not in accordance with government policies (SP 800-18,\nSP 800-37). True\n\nThe System Security Plans (SSP) we reviewed were inadequate and not in accordance with\nGovernment policies.42 Specifically, the security controls were not implemented properly and\ndid not sufficiently address each control. For example, 12 of 12 systems stated the control\ninvolving Security Awareness Training was an inherited control. However, this control could\nnot be inherited because procedures had to be developed by the agencies as required by\nDepartmental policy. Based on the statistical sample results, we estimate that all 55 SSPs are\ninadequate.43 If all controls were not implemented effectively, systems may be inadequately\nprotected.\n\n1.b(15). Security assessment report is not in accordance with government policies\n(SP 800-53A, SP 800-37). True\n\nThe Department\xe2\x80\x99s Security Assessment Reports (SARs) we reviewed failed to meet the\nminimum security required by NIST SP 800-37.44 Our review of SARs found that 10 of 10 were\nnot conducted in accordance with Government policies. For example, our review found no\nevidence that the required controls had been tested. Additionally, NIST SP 800-37 requires a\nsecurity assessment plan to be included with the SAR which provides the objectives for the\nsecurity control assessment, a detailed roadmap of how to conduct such an assessment, and\nassessment procedures. We found during our review that security assessment plans were not\nincluded in the Department\xe2\x80\x99s SARs. Based on the sample results, we estimate that all 55 SARs\nfailed to meet the minimum NIST security requirements.45 As a result, USDA cannot be assured\nthat all system controls had been documented and tested, and that systems were operating at an\nacceptable level of risk.\n\n\n\n\n42\n   The SSP is a required C&A document that provides an overview of the security requirements of the system and\ndescribes the controls in place (or planned) for meeting those requirements. The SSP also delineates responsibilities\nand expected behavior of all individuals who access the system. NIST SP 800-18, Guide for Developing Security\nPlans for Federal Information Systems (February 2006).\n43\n   We are 95 percent confident that at least 80.3 percent of the SSPs for systems in the audit universe are inadequate.\nAdditional sample analysis information is presented in exhibit B.\n44\n   NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems\n(February 2010).\n45\n   We are 95 percent confident that at least 76.4 percent of the SARs for systems in the audit universe are\ninadequate. Additional sample analysis information is presented in exhibit B.\n\n                                                                         AUDIT REPORT 50501-0002-12                21\n\x0c1.b(16). Accreditation boundaries for agency information systems are not defined in\naccordance with government policies. False\n\nNo exception noted. We found all 18 systems reviewed met NIST SP 800-18 accreditation\nboundaries.46\n\n\nS2: Configuration Management\nSection 2: Configuration Management\n\nCheck one: (2.a, 2.b, or 2.c)\n\n2.a. The agency has established and is maintaining a security configuration management\nprogram that is consistent with FISMA requirements, OMB policy, and applicable NIST\nguidelines. Although improvement opportunities may have been identified by OIG, the\nprogram includes the following attributes:\n       2.a(1). Documented policies and procedures for configuration management.\n       2.a(2). Standard baseline configurations defined.\n       2.a(3). Assessing for compliance with baseline configurations.\n       2.a(4). Process for timely, as specified in agency policy or standards, remediation of\n       scan result deviations.\n       2.a(5). For Windows-based components, FDCC/USGCB secure configuration\n       settings fully implemented and any deviations from FDCC/USGCB baseline settings\n       fully documented.\n       2.a(6). Documented proposed or actual changes to hardware and software\n       configurations.\n       2.a(7). Process for timely and secure installation of software patches.\n\n2.b. The agency has established and is maintaining a security configuration management\nprogram. However, the agency needs to make significant improvements as noted below.\n\n2.c. The agency has not established a security configuration management program.\n\nIf 2.b. is checked above, check areas that need significant improvement:\n\n2.b(1). Configuration management policy is not fully developed (NIST 800-53: CM-1).\nFalse\n\nNo exception noted. We found that the Department\xe2\x80\x99s configuration management policy met\nNIST SP 800-53 requirements.\n\n\n\n\n46\n     NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems (February 2006).\n\n\n22         AUDIT REPORT 50501-0002-12\n\x0c2.b(2). Configuration management procedures are not fully developed\n(NIST 800-53: CM-1). True\n\nNIST SP 800-53 requires that the organization develop formal documented procedures to\nfacilitate the implementation of the configuration management policy and associated\nconfiguration management controls. OIG and independent contractors found that three of six\nagencies reviewed did not have configuration management procedures or the procedures were\nnot fully developed. For example, one of the agencies was unable to provide any documented\nprocedures and a second agency did not have all required NIST SP 800-53 elements in its\nprocedure.\n\n2.b(3). Configuration management procedures are not consistently implemented\n(NIST 800-53: CM-1). True\n\nAs noted in 2.b(2), OIG and independent contractors found that three of six agencies either did\nnot have configuration management procedures or that the procedures were not consistently\nimplemented.\n\n2.b(4). Standard baseline configurations are not identified for software components\n(NIST 800-53: CM-2). False\n\nNo exception noted. NIST SP 800-53, under configuration control, requires the organization to\ndevelop, document, and maintain a current baseline configuration of the information system.\nThe Department had issued a memo on May 26, 2011, stating that NIST SP 800-70 would be the\nofficial baseline configuration guide repository for operating systems in use at USDA. 47 Our\nreview of three agencies found them using the NIST baseline configurations for all current\noperating systems.\n\n2.b(5). Standard baseline configurations are not identified for all hardware components\n(NIST 800-53: CM-2). True\n\nFederal Information Processing Standard (FIPS) 200 requires the organization to establish and\nmaintain baseline configurations and inventories of organizational information systems\n(including hardware, software, firmware, and documentation) throughout the respective system\ndevelopment life cycles.48 We found 3 of 12 systems did not adequately develop hardware\nbaseline configurations. Also, one agency was identified by independent contractors as not\nhaving a standard baseline configuration for all hardware.\n\n\n\n\n47\n   NIST SP 800-70 rev. 2, National Checklist Program for IT Products\xe2\x80\x94Guidelines for Checklist Users and\nDevelopers (February 2011).\n48\n   FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems\n(March 2006), states that organizations must: (1) establish and maintain baseline configurations and inventories of\norganizational information systems (including hardware, software, firmware, and documentation) throughout the\nrespective system development life cycles; and (2) establish and enforce security configuration settings for\ninformation technology products employed in organizational information systems.\n\n                                                                        AUDIT REPORT 50501-0002-12               23\n\x0c2.b(6). Standard baseline configurations are not fully implemented (NIST 800-53: CM-2).\nTrue\n\nWe found that five of seven agencies were not following standard baseline configurations. For\nexample, our review identified that over 45 percent of the Department's Windows 2003 server\nconfiguration settings did not comply with current Federal guidelines. 49\n\n2.b(7). FDCC/USGCB is not fully implemented (OMB) and/or all deviations are not fully\ndocumented (NIST 800-53: CM-6). False\n\nNo exception noted. OMB required agencies with\xe2\x80\x94or planning to update\xe2\x80\x94Windows Vista or\nWindows XP operating systems to adopt standard security configurations on workstations by\nFebruary 1, 2008.50 The standard security configurations were developed by NIST, DoD, and\nDHS and are commonly referred to as the Federal desktop core configuration (FDCC). Our\nreviews at 3 agencies found less than 7 percent of all required settings on workstations were not\ncompliant and that all deviations from the FDCC had fully documented waivers.\n\n2.b(8). Software assessing (scanning) capabilities are not fully implemented\n(NIST 800-53: RA-5, SI-2). True\n\nThe Department required all agencies to establish and implement procedures for accomplishing\nmonthly vulnerability scanning of all networks, systems, servers, and desktops for which it was\nresponsible.51 This includes performing monthly scans and remediating vulnerabilities found as\na result of the scans. OIG and independent contractors determined that three of six agencies\nreviewed did not scan all devices and did not correct critical vulnerabilities in a timely manner.\nFor example, we found that one agency was not scanning over 1,600 machines on a monthly\nbasis as required. This occurred because the network and security groups were not\ncommunicating.\n\n2.b(9). Configuration-related vulnerabilities, including scan findings, have not been\nremediated in a timely manner, as specified in agency policy or standards.\n(NIST 800-53: CM-4, CM-6, RA-5, SI-2). True\n\nNIST requires Federal agencies to establish and document mandatory configuration settings for\ninformation technology products deployed within the information system, and to implement the\nrecommended configuration settings. Our review of seven agencies disclosed that configuration\nvulnerabilities were not being mitigated and remediated timely. Specifically, we found that\n75 of 216 network device settings were not configured in accordance with NIST SP 800-53.\n\n\n\n49\n   Defense Information Systems Agency, Windows 2003 Security Technical Implementation Guide Overview\n(August 27, 2010). The NIST site incorporates checklists from various Federal entities including the Department of\nDefense (DoD).\n50\n   OMB Memorandum 07-11, Implementation of Commonly Accepted Security Configurations for Windows\nOperating Systems (March 22, 2007).\n51\n   USDA Department Manual (DM) 3530-001, USDA Vulnerability Scan Procedures (July 20, 2005).\n\n24      AUDIT REPORT 50501-0002-12\n\x0c2.b(10). Patch management process is not fully developed, as specified in agency policy or\nstandards. (NIST 800-53: CM-3, SI-2). False\n\nNo exception noted. NIST SP 800-53 requires Federal agencies to incorporate vendor software\nflaw remediation (patches) into the organizational configuration management process. Our\nreview of three agencies identified that over 90 percent of all patches had been applied as\nrequired.\n\n\nS3: Incident Response and Reporting\nSection 3: Incident Response and Reporting\n\nCheck one: (3.a, 3.b, or 3.c)\n\n3.a. The agency has established and is maintaining an incident response and reporting\nprogram that is consistent with FISMA requirements, OMB policy, and applicable NIST\nguidelines. Although improvement opportunities may have been identified by OIG, the\nprogram includes the following attributes:\n       3.a(1). Documented policies and procedures for detecting, responding to, and\n       reporting incidents.\n       3.a(2). Comprehensive analysis, validation and documentation of incidents.\n       3.a(3). When applicable, reports to US-CERT within established timeframes.\n       3.a(4). When applicable, reports to law enforcement within established timeframes.\n       3.a(5). Responds to and resolves incidents in a timely manner, as specified in agency\n       policy or standards, to minimize further damage.\n       3.a(6). Is capable of tracking and managing risks in a virtual/cloud environment, if\n       applicable.\n       3.a(7). Is capable of correlating incidents.\n\n3.b. The agency has established and is maintaining an incident response and reporting\nprogram. However, the agency needs to make significant improvements as noted below.\n\n3.c. The agency has not established an incident response and reporting program.\nIf 3.b. is checked above, check areas that need significant improvement:\n\n3.b(1). Incident response and reporting policy is not fully developed\n(NIST 800-53: IR-1). False\n\nNo exception noted. We found that Department policy met all of NIST\xe2\x80\x99s requirements. 52 The\nDepartment has developed a new incident policy, which is in draft. As of September 30, 2011,\nthe policy had not yet been finalized.\n\n\n\n\n52\n     NIST SP-800-61, Computer Security Incident Handling Guide (March 2008).\n\n                                                                    AUDIT REPORT 50501-0002-12   25\n\x0c3.b(2). Incident response and reporting procedures are not fully developed or sufficiently\ndetailed (NIST 800-53: IR-1). True\n\nOur review identified that the day-to-day procedures were not accurately reflected in the\ndocumented Agriculture Security Operations Center (ASOC) Standard Operating Procedure\n(SOP).53 As an example, we determined the SOP did not include the updated versions of incident\nchecklists utilized by the incident response team. In addition, audit work done by OIG and\nindependent contractors determined that three of four agencies did not have procedures that were\nfully developed or sufficiently detailed. For example, two agencies had not developed\nprocedures, while the other two agencies\xe2\x80\x99 procedures did not include the classification of the\ntypes of incidents or the reporting requirements for the specific incident categories.\n\n3.b(3). Incident response and reporting procedures are not consistently implemented in\naccordance with government policies (NIST 800-61, Rev. 1). True\n\nOur review of 66 incidents found that 7 were not handled in accordance with Departmental\nprocedures.54 Based on our overall statistical sample results, we estimate that 139 incidents\n(9.4 percent of the universe) were not handled in accordance with Departmental procedures. 55\nSpecifically, agencies were required to submit documentation to the Department, detailing the\nsteps taken to close out the incident. Specific documents and completed forms were required to\nbe returned to the Department; however, we found that all seven incidents had either missing or\nincomplete documentation. For example, all 7 incidents did not complete the 24-hour response\nchecklist as required by the Department\xe2\x80\x99s SOP for incident reporting.\nAdditionally, we noted an incident that was identified at an agency which was not reported to\nASOC as required by Departmental incident response procedures.56 An agency employee\nallowed an unauthorized individual to access her Federal computer. This unauthorized\nindividual subsequently modified system hardware and software characteristics without the\nowner's knowledge and deployed malicious software on the computer. Though the agency was\nnotified of these malicious actions and was aware that the employee granted unauthorized access,\nthe agency failed to notify the Department. As of September 30, 2011, this incident was over\n6 months old and not reported to the Department, as required.\n\n3.b(4). Incidents were not identified in a timely manner, as specified in agency policy or\nstandards (NIST 800-53, 800-61, and OMB M-07-16, M-06-19). False\n\nNo exception noted.\n\n53\n   Agriculture Security Operations Center (ASOC) Computer Incident Response Team (CIRT), Standard Operating\nProcedures for Reporting Security and Personally Identifiable Information Incidents, SOP-ASOC-001\n(June 9, 2009).\n54\n   Stratum 1 is a census stratum of two incidents. For Stratum 2, the sample size of 64 incidents was based on an\nexpected error rate of 20 percent and a desired absolute precision of +/-10 percent of the audit universe, when\nreporting a 95 percent confidence level. Additional sample design information is presented in exhibit B.\n55\n   We are 95 percent confident that between 33 (2.3 percent of the universe) and 244 (16.6 percent of the universe)\nincidents were not handled in accordance with Departmental procedures. Additional sample design information is\npresented in exhibit B.\n56\n   DM 3505-001, Cyber Security Incident Handling Procedure (March 20, 2006).\n\n26      AUDIT REPORT 50501-0002-12\n\x0c3.b(5). Incidents were not reported to US-CERT as required (NIST 800-53, 800-61, and\nOMB M-07-16, M-06-19). True\n\nThe US-Computer Emergency Readiness Team (US-CERT) requires USDA to notify it of\nincidents within specified timeframes that are based on the category of the incident.57 Our\nreview of incidents disclosed the Department did not report 5 of 66 incidents to US-CERT within\nthe required timeframe. Based on our statistical sample results, we estimate that 115 incidents\n(7.8 percent of the universe) were not reported to US-CERT as required.58 For example, US-\nCERT requires that lost or stolen equipment incidents be reported within 1 hour; however, we\nfound that the Department did not report a stolen laptop incident to US-CERT for 27 hours. In\naddition, there were three incidents that we could not verify if US-CERT was notified according\nto policy because the proper documents were not provided. We found that the email audit\nlogging feature for the incident tracking server was not activated until June 1, 2011. Therefore,\nany emails automatically sent to US-CERT before that date, were not retrievable.\n\n3.b(6). Incidents were not reported to law enforcement as required (SP 800-86). True\n\nWe found 2 of the 66 incidents were not reported to OIG as required by DM 3505-001.\nAdditionally, we identified that the automated email notification, which alerts OIG of cyber-\nrelated security incidents, did not do so for over three months.\n\n3.b(7). Incidents were not resolved in a timely manner (NIST 800-53, 800-61, and\nOMB M-07-16, M-06-19). True\n\nIf an incident was not resolved after 30 days, the Department\xe2\x80\x99s procedures require the agency to\nopen a plan of action and milestones (POA&M).59 We found that 6 of the 66 incidents were not\nresolved within 30 days and no POA&Ms were created for the incidents. Based on our sample\nresults, we estimate 138 incidents (9.4 percent of the universe) were not resolved in a timely\nmanner.60\n\n\n\n\n57\n   US-CERT provides response support and defense against cyber attacks for the Federal Civil Executive Branch\n(i.e., \xe2\x80\x9c.gov\xe2\x80\x9d) and information sharing and collaboration with State and local government, industry, and international\npartners. US-CERT is the operational arm of the National Cyber Security Division (NCSD) at DHS. NCSD was\nestablished by DHS to serve as the Federal Government\xe2\x80\x99s cornerstone for cyber security coordination and\npreparedness.\n58\n   We are 95 percent confident that between 18 (1.2 percent of the universe) and 212 (14.4 percent of the universe)\nincidents were not reported to US-CERT as required. Additional sample design information is presented in\nexhibit B.\n59\n   A POA&M is a tool that identifies tasks needing to be accomplished to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. It details resources required to accomplish the elements of the plan, milestones in meeting the task, and\nscheduled completion dates for the milestones. The goal of a POA&M should be to reduce the risk of the weakness\nidentified.\n60\n   We are 95 percent confident that between 32 (2.2 percent of the universe) and 243 (16.5 percent of the universe)\nincidents were not resolved in a timely manner. Additional sample design information is presented in exhibit B.\n\n                                                                        AUDIT REPORT 50501-0002-12                27\n\x0c3.b(8). Incidents were not resolved to minimize further damage (NIST 800-53, 800-61, and\nOMB M-07-16, M-06-19). True\n\nNIST SP 800-61 states incident response teams should use information gained during incident\nhandling to better prepare for future incidents and to provide stronger protections for systems and\ndata. We found that 14 of the 66 incidents were not resolved to minimize further damage. Based\non our statistical sample results, we estimate 322 incidents (21.8 percent of the universe) were\nnot resolved to minimize further damage.61 For example, a user had unauthorized software\ninstalled on his computer. The remediation action taken by the agency was to contact the user\nand tell him to uninstall the software without any additional follow-up.\n\n3.b(9). There is insufficient incident monitoring and detection coverage in accordance with\ngovernment policies (NIST 800-53, 800-61, and OMB M-07-16, M-06-19). True\n\nOur review of the Department's incident monitoring and detection capability determined the\nDepartment had insufficient incident detection and monitoring coverage. From September 2010\nto April 2011, USDA installed an incident detection toolkit, which alerts the Department to\npotential cyber-related incidents. During FY 2011, USDA had three employees who were\nresponsible for monitoring the daily data, calibrating security tools, and performing incident\nanalysis. The individuals were able to analyze and process approximately 15 incidents per week.\nHowever, the Department stated that with the appropriate resources, it would have been able to\nprocess up to 150 incidents per week. NIST SP 800-53 requires the organization to report\nsuspected security incidents and related information to appropriate organizational authorities.\nUSDA has assigned this responsibility to the ASOC. According to the Department, it was aware\nof the up to 150 weekly security-related incidents and that it did not have sufficient resources to\ninvestigate or report the majority of them.\n\n3.b(10). The agency cannot or is not prepared to track and manage incidents in a\nvirtual/cloud environment. True\n\nNIST SP 800-53 requires the organization to track and document information security-related\nincidents, no matter where the Federal information resides. Over the past two years, the\nDepartment had implemented a cloud-based email solution.62 In discussions with Departmental\nofficials and a review of the agreement between USDA and the contractor, we were unable to\nverify that USDA was prepared to track and manage incidents in this environment. We found\nthat these responsibilities were not adequately addressed in the agreement between the\nDepartment and the cloud contractor. As a result, there was an increased risk of incidents\noccurring within the cloud environment, which are not being identified and tracked by USDA.\n\n\n\n61\n   We are 95 percent confident that between 172 (11.7 percent of the universe) and 471 (32 percent of the universe)\nincidents were not resolved to minimize further damage. Additional sample design information is presented in\nexhibit B.\n62\n   Cloud computing is a model for enabling network access to a shared pool of computing resources that can be\nrapidly provisioned and released with minimal management effort or service provider interaction. NIST SP 800-\n145, The NIST Definition of Cloud Computing (September 2011).\n\n\n28      AUDIT REPORT 50501-0002-12\n\x0c3.b(11). The agency does not have the technical capability to correlate incident events.\nFalse\n\nNo exception noted. ASOC possesses the technical capability to correlate incidents across\nUSDA\xe2\x80\x99s network through the use of network analysis tools. However, as noted in 3.b(9), the\nDepartment stated it did not have the resources to adequately process the number of incidents it\nwas currently monitoring.\n\n\nS4: Security Training\nSection 4: Security Training\n\nCheck one: (4.a, 4.b, or 4.c)\n\n4.a. The agency has established and is maintaining a security training program consistent\nwith FISMA requirements, OMB policy, and applicable NIST guidelines. Although\nimprovement opportunities may have been identified by OIG, the program includes the\nfollowing attributes:\n       4.a(1). Documented policies and procedures for security awareness training.\n       4.a(2). Documented policies and procedures for specialized training for users with\n       significant information security responsibilities.\n       4.a(3). Security training content based on the organization and its roles, as specified\n       in agency policy or standards.\n       4.a(4). Identification and tracking of the status of security awareness training for all\n       personnel (including employees, contractors, and other agency users) with access\n       privileges that require security awareness training.\n       4.a(5). Identification and tracking of the status of specialized training for all\n       personnel (including employees, contractors, and other agency users) with\n       significant information security responsibilities that require specialized training.\n\n4.b. The agency has established and is maintaining a security training program. However,\nthe agency needs to make significant improvements as noted below.\n\n4.c. The agency has not established a security training program.\n\nIf 4.b. is checked above, check areas that need significant improvement:\n\n4.b(1). Security awareness training policy is not fully developed (NIST 800-53: AT-1).\nFalse\n\nNo exception noted. We determined the Department's security awareness policy met all the\nrequirements outlined in NIST SP 800-53.63\n\n\n\n\n63\n     DM 3545-001, Computer Security Training and Awareness (February 17, 2005).\n\n                                                                    AUDIT REPORT 50501-0002-12   29\n\x0c4.b(2). Security awareness training procedures are not fully developed and sufficiently\ndetailed (NIST 800-53: AT-1). True\n\nWe determined the Department\xe2\x80\x99s security awareness training procedures met all NIST SP 800-53\nrequirements.64 However, one of three agencies we reviewed did not have procedures in place to\nensure employees and contractors received adequate security awareness training.\n\n4.b(3). Security awareness training procedures are not consistently implemented in\naccordance with government policies (NIST 800-53: AT-2). True\n\nWe determined the Department\xe2\x80\x99s security awareness training procedures met all NIST SP 800-53\nrequirements. However, as stated in 4.b(7), procedures were not consistently implemented. In\nthe 3 agencies reviewed, we found 1,383 of 10,904 users with login privileges did not have\nevidence indicating they had completed their annual security awareness training.\n\n4.b(4). Specialized security training policy is not fully developed (NIST 800-53: AT-3). True\n\nWe determined that the Department\xe2\x80\x99s policy and two of three agencies\xe2\x80\x99 policies for specialized\nsecurity training were not fully developed.65 We found the Department's policy for specialized\ntraining was in draft form and did not include a definition of significant information security\nresponsibilities. Without a definition, agencies have interpreted the requirement inconsistently.\nThe Department\xe2\x80\x99s policy was not finalized as of September 30, 2011.\n\n4.b(5). Specialized security training procedures are not fully developed or sufficiently\ndetailed in accordance with government policies (SP 800-50, SP 800-53). True\n\nWe determined the Department\xe2\x80\x99s and two of three agencies\xe2\x80\x99 procedures for specialized security\ntraining were not fully developed or sufficiently detailed. As noted in 4.b(4), specialized\nsecurity training policies did not include a definition of significant information security\nresponsibilities. Therefore, agencies interpreted the requirement inconsistently and not all users\nwho required specialized training received it. As a result, the Department increases its risk of\ncompromise by allowing users to access information system resources without the required\ntraining.\n\n\n\n\n64\n   Departmental Standard Operating Procedure (SOP), Information Security Training, SOP-ISD 022 (October 7,\n2008).\n65\n   NIST SP 800-53 requires the organization to provide basic security awareness training to all users. Additionally,\nit requires the organization to identify and provide information system managers, system and network\nadministrators, personnel performing independent verification and validation activities, security control assessors,\nand other personnel having access to system-level software with role-based specialized security training related to\ntheir specific roles and responsibilities. The organization is to determine the appropriate content of security training\nand the specific requirements of the organization and the information systems to which personnel have authorized\naccess.\n\n30       AUDIT REPORT 50501-0002-12\n\x0c4.b(6). Training material for security awareness training does not contain appropriate\ncontent for the agency (SP 800-50, SP 800-53). False\n\nNo exception noted. We found that the training material for security awareness contained the\nappropriate content to meet NIST SP 800-53 requirements.\n\n4.b(7). Identification and tracking of the status of security awareness training for\npersonnel (including employees, contractors, and other agency users) with access privileges\nthat require security awareness training is not adequate in accordance with government\npolicies (SP 800-50, SP 800-53). True\n\nNIST SP 800-53 requires agencies to document and monitor individual information system\nsecurity training activities and to retain individual training records. Our review found all three\nagencies did not adequately identify and track employees with login privileges. Specifically, of\nthe 3 agencies reviewed, we found that 1,383 of 10,904 users with login privileges did not have\nevidence that they completed their annual security awareness training.\n\n4.b(8). Identification and tracking of the status of specialized training for personnel\n(including employees, contractors, and other agency users) with significant information\nsecurity responsibilities is not adequate in accordance with government policies (SP 800-50,\nSP 800-53). False\n\nNo exception noted. All three agencies provided OIG with a list of employees that required\nspecialized training. They also identified the course each user completed.\n\n4.b(9). Training content for individuals with significant information security\nresponsibilities is not adequate in accordance with government policies (SP 800-53,\nSP 800-16). True\n\nNIST SP 800-53 requires agencies to provide specialized training to security professionals. Our\ntesting at 3 agencies found that 4 of 33 users identified as requiring specialized security training\ndid not have documented proof they received the training during FY 2011. For example, two of\nthe four employees identified non-specialized iPad and iPhone user training as their specialized\nsecurity training.\n\n4.b(10). Less than 90 percent of personnel (including employees, contractors, and other\nagency users) with access privileges completed security awareness training in the past year.\nTrue\n\nNIST SP 800-53 requires agencies to document and monitor individual information system\nsecurity training activities and to retain individual training records. Our testing of 3 sample\nagencies identified only 9,521 of 10,904 users with login privileges (87 percent) had evidence of\ncompleting the annual security awareness training.\n\n\n\n\n                                                              AUDIT REPORT 50501-0002-12          31\n\x0c4.b(11). Less than 90 percent of employees, contractors, and other users with significant\nsecurity responsibilities completed specialized security awareness training in the past year.\nTrue\n\nNIST SP 800-53 requires agencies to document and monitor individual information system\nsecurity training activities and to retain individual training records. Our testing of employees\nwith significant security responsibilities in 3 agencies found only 29 of 33 (88 percent) had\ndocumented evidence of specialized training.\n\n\nS5: POA&M\nSection 5: POA&M\n\nCheck one: (5.a, 5.b, or 5.c)\n\n5.a. The agency has established and is maintaining a POA&M program that is consistent\nwith FISMA requirements, OMB policy, and applicable NIST guidelines and tracks and\nmonitors known information security weaknesses. Although improvement opportunities\nmay have been identified by OIG, the program includes the following attributes:\n       5.a(1). Documented policies and procedures for managing IT security weaknesses\n       discovered during security control assessments and requiring remediation.\n       5.a(2). Tracks, prioritizes and remediates weaknesses.\n       5.a(3). Ensures remediation plans are effective for correcting weaknesses.\n       5.a(4). Establishes and adheres to milestone remediation dates.\n       5.a(5). Ensures resources are provided for correcting weaknesses.\n       5.a(6). Program officials and contractors report progress on remediation to CIO on\n       a regular basis, at least quarterly, and the CIO centrally tracks, maintains, and\n       independently reviews/validates the POA&M activities at least quarterly.\n\n5.b. The agency has established and is maintaining a POA&M program that tracks and\nremediates known information security weaknesses. However, the agency needs to make\nsignificant improvements as noted below.\n\n5.c. The agency has not established a POA&M program.\n\nIf 5.b. is checked above, check areas that need significant improvement:\n\n5.b(1). POA&M Policy is not fully developed. True\n\nThe Department\xe2\x80\x99s security manual did not include a policy establishing a POA&M process for\nreporting IT security deficiencies and for tracking the status of remediation efforts. The\nDepartment stated that it was in the process of finalizing a draft policy. In addition, the three\nagencies reviewed did not have POA&M policies. Instead, the agencies stated that they followed\nthe Department\xe2\x80\x99s; however, the Department had not published an official POA&M policy.\n\n\n\n\n32     AUDIT REPORT 50501-0002-12\n\x0c5.b(2). POA&M procedures are not fully developed and sufficiently detailed. True\n\nAlthough there were no formal policies, the Department distributed an updated SOP in August\n2011.66 Our review of the SOP determined it was updated to include OMB-outlined criteria, and\nthat it reflected the current POA&M process. We found that of the eight agencies that OIG,\nindependent contractors, and annual agency self-assessments reviewed, seven did not have fully\ndeveloped or sufficiently detailed procedures and six of the agencies had no procedures at all.\n\n5.b(3). POA&M procedures are not consistently implemented in accordance with\ngovernment policies. True\n\nWe found that procedures were not consistently implemented, as noted in 5.b(4)-(12). Without\nadequate policies and procedures at both the Department and agency levels, there is no basis for\na consistent POA&M process.\n\n5.b(4). POA&Ms do not include security weaknesses discovered during assessments of\nsecurity controls and requiring remediation (OMB M-04-25). True\n\nWe found POA&Ms did not include all known security weaknesses. For example, the\nDepartment requires an agency to create a POA&M when an identified vulnerability cannot be\nremediated within 30 days. However, our testing at 3 agencies found 1,224 vulnerabilities over\n30 days old for which no POA&M had been created. We also found that agencies were only\ncreating one POA&M for all outstanding vulnerabilities, instead of grouping the vulnerabilities\nto effectively manage weaknesses and ensure remediation efforts were tracked and recorded.\nAdditionally, we found 6 incidents that were open for over 30 days for which no POA&M was\ncreated as required by Departmental SOP. Based on our statistical sample results, we estimate\n138 incidents (9.4 percent of the universe) were not closed timely and did not have a POA&M\ncreated to address them.67\n\n5.b(5). Remediation actions do not sufficiently address weaknesses in accordance with\ngovernment policies (NIST SP 800-53, Rev. 3, Sect. 3.4 Monitoring Security Controls).\nTrue\n\nOMB specifies that effective remediation of IT security weaknesses is essential to achieve a\nmature and sound IT security program, and for securing information and systems.68 We\ndetermined that 8 of 43 POA&Ms closed in FY 2011 were closed without documented\nremediation plans.69 Based on our sample results, we estimate 190 POA&Ms (19 percent of the\n\n\n66\n   Departmental SOP, Plan of Action and Milestones Management CPO SOP 002 (June 29, 2011).\n67\n   We are 95 percent confident that between 32 (2.2 percent of the universe) and 243 (16.5 percent of the universe)\nincidents were not resolved in a timely manner. Additional sample design information is presented in exhibit B.\n68\n   OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act\n(August 23, 2004).\n69\n   We based the sample size on a very low expected error rate. If 0 errors were found, and we desired a 5 percent\nchance or less of the error rate in the universe to exceed 5 percent, then our sample size would be 76 POA&Ms. We\nselected a simple random sample of 76 POA&Ms for review with a possible stop or go decision point at 43\nPOA&Ms reviewed. Additional sample design information is presented in exhibit B.\n\n                                                                       AUDIT REPORT 50501-0002-12              33\n\x0cuniverse) were closed in FY 2011 without sufficient remediation actions to address the identified\nweaknesses in accordance with government policies.70\n5.b(6). Source of security weaknesses are not tracked (OMB M-04-25). True\n\nOMB M-04-25 specifies that agencies should identify the source (e.g., program review, IG audit,\nGAO audit, etc.) of the weakness. Our review of a statistical sample of POA&Ms open during\nFY 2011 found that 32 of 93 POA&Ms did not track the source of the security weakness. Based\non our sample results, we estimate 721 POA&Ms (34.4 percent of the universe) did not track the\nsource of the security weakness.71\n\n5.b(7). Security weaknesses are not appropriately prioritized (OMB M-04-25). True\n\nOMB M-04-25 specifies that the purpose of a POA&M is to assist agencies in prioritizing the\nprogress of corrective efforts for security weaknesses found in programs and systems. Our\nreview of POA&Ms within the Department found 40 of 93 POA&Ms had security weaknesses\nthat were not appropriately prioritized. Based on our statistical sample results, we estimate 90\nPOA&Ms (43 percent of the universe) had security weaknesses that were inappropriately\nprioritized.72 For example, the Department considers 33 security controls to be critical, and\nrequires agencies to test, report the results of that test, and create POA&Ms for weaknesses\nfound with these controls on an annual basis. We found 18 POA&Ms associated with these key\ncontrols were prioritized as low or very low, instead of being assigned a higher priority. This\noccurred due to agencies not updating the required priority field within CSAM, which\nautomatically defaulted to low or very low.\n\n5.b(8). Milestone dates are not adhered to (OMB M-04-25). True\n\nWe found 65 of the 93 POA&Ms reviewed did not adhere to the POA&Ms milestone dates.\nBased on our overall sample results, we estimate 1,464 POA&Ms (70 percent of the universe)\ndid not adhere to the milestone dates.73\n\n5.b(9). Initial target remediation dates are frequently missed (OMB M-04-25). True\n\nOMB M-04-25 specifies that a POA&M should include a scheduled completion date for\nresolving the identified weakness. Our review of FY 2011 POA&Ms found 409 of 2,094 were\nnot completed by the scheduled date. Of the 409 POA&Ms that were not completed by the\nscheduled completion date, we were able to determine, as of July 14, 2011:\n\n70\n   We are 95 percent confident that between 69 (7 percent) and 312 (30 percent) of closed POA&Ms in FY11 had\nremediation actions that did not sufficiently address the identified weaknesses in accordance with government\npolicies. Additional sample design information is presented in exhibit B.\n71\n   We are 95 percent confident that between 519 (about 25 percent) and 922 (44 percent) of the POA&Ms did not\ntrack the source of the security weakness. Additional sample design information is presented in exhibit B.\n72\n   We are 95 percent confident that between 691 (33 percent) and 1,111 (53 percent) of the FY11 POA&Ms had\nsecurity weaknesses that were not appropriately prioritized. Additional sample design information is presented in\nexhibit B.\n73\n   We are 95 percent confident that between 1,269 (60 percent) and 1,658 (79 percent) of POA&Ms did not adhere\nto milestone dates. Additional sample design information is presented in exhibit B.\n\n34      AUDIT REPORT 50501-0002-12\n\x0c     \xc2\xb7   218 POA&Ms were 1-89 days past due\n     \xc2\xb7   96 POA&MS were 90-179 days past due\n     \xc2\xb7   70 POA&Ms were 180-365 days past due\n     \xc2\xb7   25 POA&Ms were over 365 days past due\n\nWe determined that USDA was not estimating reasonable remediation dates when generating\nPOA&Ms. This occurred because agencies were not developing detailed project plans for\nremediation prior to creating POA&Ms.\n\n5.b(10). POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3,\nControl CA-5, and OMB M-04-25). True\n\nDepartmental procedures require that open POA&Ms be monitored on a routine basis and the\nstatus of each POA&M should be updated no less than quarterly to demonstrate progress in\nmitigating weaknesses. We found 15 of 93 POA&Ms had not been updated timely. Based on\nour sample results, we estimate 338 POA&Ms (16 percent of the universe) were not updated in a\ntimely manner in accordance with Departmental procedures.74 For example, we identified 10\nPOA&Ms that had not been updated in the past six months.\n\n5.b(11). Costs associated with remediating weaknesses are not identified\n(NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25). True\n\nWe found that USDA had not met OMB M-04-25\xe2\x80\x99s requirement that each POA&M include the\nestimated amount of funding needed to remediate the weakness. We found 674 of 1,774\nPOA&Ms in FY 2011 had an associated cost of zero dollars for weakness remediation.\n\n5.b(12). Agency CIO does not track and review POA&Ms (NIST SP 800-53, Rev. 3,\nControl CA-5, and OMB M-04-25). True\n\nThe Department\xe2\x80\x99s SOP states all POA&Ms resulting from an audit were subject to review by the\nOCIO during the closure review process. In addition, the SOP requires the Department to review\nanother 10 percent of non-audit related, closed POA&Ms. We determined that POA&Ms were\nnot effectively tracked and reviewed by the Department. For example:\n\n     \xc2\xb7   OCIO was unable to provide an accurate list of all closed POA&Ms it reviewed;\n     \xc2\xb7   OCIO did not upload the required closure review checklist for 40 percent of the audit\n         POA&Ms reviewed;\n     \xc2\xb7   OCIO was not reviewing closed POA&Ms the same quarter in which they were closed,\n         as required;\n     \xc2\xb7   OIG was unable to verify that all audit POA&Ms had been reviewed. There was no\n         automated process to track audit POA&Ms. Instead, the Department has a manual\n         process without proper tracking and oversight; and\n\n\n74\n  We are 95 percent confident that between 182 (about 9 percent) and 494 (about 24 percent) of the POA&Ms were\nnot updated in a timely manner. Additional sample design information is presented in exhibit B.\n\n\n                                                                    AUDIT REPORT 50501-0002-12             35\n\x0c       \xc2\xb7   OIG could not verify that 10 percent of all closed, non-audit POA&Ms were being\n           reviewed by the Department, due to inaccurate and inconsistent evidence provided to\n           OIG.\n\n\nS6: Remote Access Management\nSection 6: Remote Access Management\n\nCheck one: (6.a, 6.b or 6.c)\n\n6.a. The agency has established and is maintaining a remote access program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\nAlthough improvement opportunities may have been identified by OIG, the program\nincludes the following attributes:\n       6.a(1). Documented policies and procedures for authorizing, monitoring, and\n       controlling all methods of remote access.\n       6.a(2). Protects against unauthorized connections or subversion of authorized\n       connections.\n       6.a(3). Users are uniquely identified and authenticated for all access.\n       6.a(4). If applicable, multi-factor authentication is required for remote access.\n       6.a(5). Authentication mechanisms meet NIST Special Publication 800-63 guidance\n       on remote electronic authentication, including strength mechanisms.\n       6.a(6). Defines and implements encryption requirements for information\n       transmitted across public networks.\n       6.a(7). Remote access sessions, in accordance to OMB M-07-16, are timed-out after\n       30 minutes of inactivity, after which re-authentication is required.\n\n6.b. The agency has established and is maintaining a remote access program. However,\nthe agency needs to make significant improvements as noted below.\n\n6.c. The agency has not established a program for providing secure remote access.\n\nIf 6.b. is checked above, check areas that need significant improvement:\n\n6.b(1). Remote access policy is not fully developed (NIST 800-53: AC-1, AC-17). True\n\nAlthough the Department had a remote access policy, we found it did not meet all NIST\nrequirements.75 We found that the Department\xe2\x80\x99s policy did not address key areas such as the\nadministration of remote access servers and periodic reassessment of the telework device\npolicies.76 Specifically, there were two policy areas that were not addressed in the Departmental\npolicy as outlined by NIST SP 800-46. One area was the administration of remote access servers\nand the other was periodic reassessment of telework device policies. We also found one of three\nagencies reviewed did not have a remote access policy fully developed.\n\n75\n     NIST SP 800-46, Rev. 1, Guide to Enterprise Telework and Remote Access Security (June 2009).\n76\n     DM 3525-003 Telework and Remote Access Policy (February 17, 2005).\n\n36         AUDIT REPORT 50501-0002-12\n\x0c6.b(2). Remote access procedures are not fully developed and sufficiently detailed\n(NIST 800-53: AC-1, AC-17). True\n\nThe Department did not provide any remote access procedures. The Department stated that it\nwas responsible for creating policy, but that it was the agencies\xe2\x80\x99 responsibility to create\nprocedures to ensure the policy was implemented. We found the agencies did not have fully\ndeveloped or sufficiently detailed remote access procedures. For example, one agency's\nhandbook provided policy guidance for remote access and teleworking, but it did not provide\nprocedures for ensuring the policies were enforced.\n\n6.b(3). Remote access procedures are not consistently implemented in accordance with\ngovernment policies (NIST 800-53: AC-1, AC-17). True\n\nAs noted in 6.b(2), remote access procedures were not fully developed or sufficiently detailed;\nthus, they were not consistently implemented in accordance with government policies. We\nfound that of the seven agencies that OIG, independent contractors, and annual agency self-\nassessments reviewed, five did not have remote access procedures implemented consistently. As\na result, inadequate security for remote access could result in the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information. For example, one agency's\nhandbook provided policy guidance for remote access and teleworking, but it did not provide\nprocedures for ensuring the policies were enforced.\n\n6.b(4). Telecommuting policy is not fully developed (NIST 800-46, Section 5.1). True\n\nAs noted in 6.b(1) above, we found that Departmental policy did not meet NIST SP 800-46\nguidance. We found two of the three agencies reviewed did not have a fully developed\ntelecommuting policy.\n\n6.b(5). Telecommuting procedures are not fully developed or sufficiently detailed in\naccordance with government policies (NIST 800-46, Section 5.4). True\n\nWe found all three agencies reviewed did not have fully developed telecommuting procedures.\nFor example, one agency was able to provide policies, but did not have detailed remote access\nprocedures.\n\n6.b(6). Agency cannot identify all users who require remote access (NIST 800-46,\nSection 4.2, Section 5.1). False\n\nNo exception noted. We found that of the seven agencies reviewed by OIG and independent\ncontractors, seven were able to identify all users requiring remote access.\n\n\n\n\n                                                          AUDIT REPORT 50501-0002-12          37\n\x0c6.b(7). Multi-factor authentication is not properly deployed (NIST 800-46, Section 2.2,\nSection 3.3). True\n\nDepartmental Regulation 3505-003 specifies that agencies must implement multi-factor\nauthentication for all forms of remote access to agency information systems.77 We found that of\nthe 10 agencies that OIG, independent contractors, and annual agency self-assessments reviewed,\n8 did not have multi-factor authentication properly implemented for remote access. The agencies\nwere not using the Departmental solution because they had not received all of their identification\ncards.78 This caused them to employ interim solutions that did not use two-factor authentication\nfor remote access.\n\n6.b(8). Agency has not identified all remote devices (NIST 800-46, Section 2.1). False\n\nNo exception noted. Our review and reviews conducted by independent contractors found five\nagencies had identified all remote devices.\n\n6.b(9). Agency has not determined all remote devices and/or end user computers have been\nproperly secured (NIST 800-46, Section 3.1 and 4.2). True\n\nUSDA had not implemented multi-factor authentication Department-wide, as noted in 6.b(7).\nWe also found two of three agencies reviewed had not completely implemented encryption on all\ntheir remote access devices (including removable media) while waiting for the Departmental\nsolution to be implemented. For example, OIG found one agency had failed to encrypt 341\nlaptop devices because procedures were inadequate to ensure this was done for newly deployed\nhardware.\n\n6.b(10). Agency does not adequately monitor remote devices when connected to the\nagency's networks remotely in accordance with government policies (NIST 800-46,\nSection 3.2). True\n\nWe found that two of five agencies reviewed were not adequately monitoring remote devices\nwhile they were connected to the agency's networks, as required by NIST SP 800-46. One\nagency conducted only general network logging, and did not conduct specialized remote access\nlogging. Due to the dangers inherent in remote access, more stringent logging and review should\nbe initiated.\n\n\n\n\n77\n   USDA Departmental Regulation (DR) 3505-003, Access Control Policy (August 11, 2009). Multi-factor\nauthentication is a security process in which the user provides two means of identification, one of which is typically\na physical token, such as a card, and the other is typically something memorized, such as a security code. In this\ncontext, the two factors involved are sometimes spoken of as \xe2\x80\x9csomething you have and something you know.\xe2\x80\x9d\n78\n   USDA LincPass ID cards (Homeland Security Presidential Directive-12 (HSPD-12) credentials).\n\n38      AUDIT REPORT 50501-0002-12\n\x0c6.b(11). Lost or stolen devices are not disabled and appropriately reported\n(NIST 800-46, Section 4.3, US-CERT Incident Reporting Guidelines). False\n\nNo exception noted. Our review found that all lost or stolen devices were disabled and\nappropriately reported.\n\n6.b(12). Remote access rules of behavior are not adequate in accordance with government\npolicies (NIST 800-53, PL-4). True\n\nNIST SP 800-53 requires that agencies provide users with a Rules of Behavior document, and\nthat it be signed prior to allowing access to the system. We found one of four agencies reviewed\ndid not have adequate remote access Rules of Behavior. This occurred because one agency was\nnot aware it was required to have a Rules of Behavior document signed prior to allowing the user\naccess to the system.\n\n6.b(13). Remote access user agreements are not adequate in accordance with government\npolicies (NIST 800-46, Section 5.1, NIST 800-53, PS-6). False\n\nNo exception noted. We reviewed four agencies and found all four had adequate remote access\nuser agreements.\n\n6.b(14). Other. True\n\nRemote access sessions, in accordance to OMB M-07-16, are not timed out after 30 minutes\nof inactivity, after which re-authentication is required.\n\n6.b(14ex). Explanation for Other\n\nNIST SP 800-46 requires remote sessions to be timed-out after 30 minutes of inactivity. Our\nreview found that 2 of 3 agencies did not require sessions to be timed-out after 30 minutes of\ninactivity. One agency had a time-out setting of 240 minutes.\n\n\nS7: Identity and Access Management\nSection 7: Identity and Access Management\n\nCheck one: (7.a, 7.b or 7.c)\n\n7.a. The agency has established and is maintaining an identity and access management\nprogram that is consistent with FISMA requirements, OMB policy, and applicable NIST\nguidelines, and identifies users and network devices. Although improvement opportunities\nmay have been identified by OIG, the program includes the following attributes:\n       7.a(1). Documented policies and procedures for account and identity management.\n       7.a(2). Identifies all users, including federal employees, contractors, and others who\n       access agency systems.\n\n\n\n                                                            AUDIT REPORT 50501-0002-12           39\n\x0c        7.a(3). Identifies when special access requirements (e.g., multi-factor\n        authentication) are necessary.\n        7.a(4). If multi-factor authentication is in use, it is linked to the agency's PIV\n        program where appropriate.\n        7.a(5). Ensures that the users are granted access based on needs and separation of\n        duties principles.\n        7.a(6). Identifies devices that are attached to the network and distinguishes these\n        devices from users.\n        7.a(7). Ensures that accounts are terminated or deactivated once access is no longer\n        required.\n        7.a(8). Identifies and controls use of shared accounts.\n\n7.b. The agency has established and is maintaining an identity and access management\nprogram that identifies users and network devices. However, the agency needs to make\nsignificant improvements as noted below.\n\n7.c. The agency has not established an identity and access management program.\n\nIf 7.b. is checked above, check areas that need significant improvement:\n\n7.b(1) Account management policy is not fully developed (NIST 800-53: AC-1). True\n\nWe found that the Department\xe2\x80\x99s identity and account management policy did not contain all\ncontrols required by NIST SP 800-53.79 For example, Department policies did not address the\nauthorizing and monitoring of guest/anonymous, emergency, and temporary accounts. In\naddition, two of the three agencies reviewed did not have a fully developed formal policy for\nidentity and account management. The Department\xe2\x80\x99s new policy is in draft and is currently in the\nclearance process.\n\n7.b(2) Account management procedures are not fully developed and sufficiently detailed\n(NIST 800-53: AC-1). True\n\nWe found that the Department issued a handbook for identity and account management\nprocedures.80 However, the handbook was for a new identity and account management program\nthat had not been fully implemented, and the handbook did not contain all controls required by\nNIST SP 800-53. The Department plans to develop procedures after the implementation of the\nnew policy. Our review of the three selected agencies found that they also did not have formal\nprocedures meeting all NIST SP 800-53 requirements.\n\n\n\n\n79\n   DR 3505-003, Access Control Policy (August 11, 2009); DR 3180-001, Information Technology Network\nStandards (September 30, 2008); and DR 3535-001, USDA's C2 Level of Trust (February 2005).\n80\n   USDA Identity, Credential and Access Management (ICAM) Identity Lifecycle Management Handbook (June\n2011).\n\n40     AUDIT REPORT 50501-0002-12\n\x0c7.b(3) Account management procedures are not consistently implemented in accordance\nwith government policies (NIST 800-53: AC-2). True\n\nWe found that of the nine agencies that OIG, independent contractors, and annual agency self-\nassessments reviewed, seven did not consistently implement account management procedures.\nSee questions 7.b(5)-(10).\n\n7.b(4) Agency cannot identify all user and non-user accounts (NIST 800-53, AC-2). False\n\nNo exception noted.\n\n7.b(5) Accounts are not properly issued to new users (NIST 800-53, AC-2). True\n\nWe found that of the 11 agencies that OIG, independent contractors, and annual agency self-\nassessments reviewed, 5 were not properly issuing accounts to new users, as required by NIST\nSP 800-53. NIST specifies that organizations should establish conditions for group membership,\nidentify authorized users, specify access privileges, require appropriate approval for establishing\naccounts, and grant access, based on need. In addition, during the agency annual self-\nassessments performed, five agencies identified weaknesses in their processes for properly\nissuing new user accounts. Agencies were not properly documenting and approving new user\nrequests, in accordance with their own policies and procedures.\n\n7.b(6) Accounts are not properly terminated when users no longer require access\n(NIST 800-53, AC-2). True\n\nDepartmental regulations require accounts to be deleted or disabled within 48 hours of a user\xe2\x80\x99s\nseparation. 81 We found that of the nine agencies that OIG, independent contractors, and annual\nagency self-assessments reviewed, eight did not properly terminate user accounts when access\nwas no longer required. For example, one agency's policy stated emergency and temporary\naccess will be removed within 7 days and routine termination of user accounts will occur within\n30 calendar days. Another agency did not have a timely way of reporting separated employees,\nwhich allowed the accounts to remain active 30 days past the separation date. As a result of\nthese reviews, we found 28 user accounts that remained active after the user had left Federal\nservice, which could result in unauthorized access, use, disclosure, disruption, modification, or\ndestruction of information.\n\n7.b(7) Agency does not use multi-factor authentication where required (NIST 800-53,\nIA-2). True\n\nAs noted in 6.b(7), we found 8 of the 10 agencies that OIG and independent contractors reviewed\ndid not require multi-factor authentication.\n\n\n\n\n81\n     DR 3505-003, Access Control Policy (August 11, 2009).\n\n                                                             AUDIT REPORT 50501-0002-12         41\n\x0c7.b(8) Agency has not adequately planned for implementation of PIV for logical access in\naccordance with government policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06,\nOMB M-08-01, OMB M-11-11). True\n\nWe found that the Department had not adequately planned for implementing Personal\nIdentification Verification (PIV) cards for logical access in accordance with government\npolicies.82 The status report published on the USDA website reported only 66 percent of the\nrequired PIV cards have been activated. Our review also found that of the six agencies that OIG,\nindependent contractors and annual agency self-assessments reviewed, three did not adequately\nplan for the implementation of PIV for computer access. Department-wide implementation had\nbeen delayed due to problems with the timely issuance of the PIV cards. In addition, one agency\nwas unable to provide the status of its PIV implementation. As a result, the mandatory\nimplementation of the PIV card, which was first introduced in 2005, was still pending within the\nDepartment and may result in unauthorized access, misuse, disclosure, disruption, modification,\nor destruction of information.\n\n7.b(9) Privileges granted are excessive, or result in capability to perform conflicting\nfunctions (NIST 800-53, AC-2, AC-6). True\n\nWe found that of the 10 agencies that OIG, independent contractors, and annual agency\nself-assessments reviewed, 7 had granted users excessive privileges, allowing them the capability\nto perform conflicting functions. These agencies did not ensure that users were granted access\nbased on their work needs, and did not follow separation of duty principles, as required by\nNIST SP 800-53.\nNIST states that organizations should identify authorized users of information systems and\nspecify access privileges, require appropriate approval, grant access based on need, periodically\nreview accounts, provide additional scrutiny of administrative accounts, follow separation of\nduty principles, and use the concept of least privilege. We found three agencies reported\nweaknesses in granting excessive privileges and separation of duties in their annual self-\nassessments.\n\n7.b(10) The agency does not use dual accounts for administrators (NIST 800-53, AC-5,\nAC-6). True\n\nWe found that of the seven agencies that OIG, independent contractors, and annual agency\nself-assessments reviewed, five were not using dual accounts for administrators, as required by\n\n\n\n82\n   FIPS Publication 201-1 Personal Identity Verification (PIV) of Federal Employees and Contractors (March 2006)\nstates that HSPD-12, entitled Policy for a Common Identification Standard for Federal Employees and Contractors,\nprovides for a Federal standard for secure and reliable forms of identification for Federal employees and contractors.\nImplementation of HSPD-12 specifies that the credential is an integrated circuit card. The card must store\npersonalized identity information for the person to whom the card was issued. The cards will be used for electronic\nverification for logical access to information resources. For example, when a cardholder logs in to an agency\nnetwork using the PIV card, the identity established through this authentication process can be used for determining\naccess to file systems, databases, and other services available on the network.\n\n42      AUDIT REPORT 50501-0002-12\n\x0cNIST SP 800-53. NIST states that a privileged user should have a second, non-privileged\naccount to support the principle of least privilege. This is commonly referred to as dual accounts\nfor administrators. For example, in our review of one agency's access listing, we found 14\nadministrators who did not have dual accounts and 6 users who had dual accounts but had the\nsame elevated privilege granted to both accounts.\n\n7.b(11) Network devices are not properly authenticated (NIST 800-53, IA-3). False\n\nNo exception noted.\n\n7.b(12) The process for requesting or approving membership in shared privileged accounts\nis not adequate in accordance to government policies. False\n\nNo exception noted.\n\n7.b(13) Use of shared privileged accounts is not necessary or justified. False\n\nNo exception noted.\n\n7.b(14) When shared accounts are used, the agency does not renew shared account\ncredentials when a member leaves the group. True\n\nOur review found that of five agencies that OIG, independent contractors, and annual agency\nself-assessments reviewed, one did not renew shared account credentials when a member leaves\nthe group.83 One agency reported when a member of a shared account leaves the group, the\naccount credentials were not immediately changed. Instead, the shared account credentials may\nnot have expired for 90-180 days. As a result, these shared accounts were vulnerable to\nunauthorized access, which may result in misuse, disclosure, disruption, modification, or\ndestruction of information.\n\n\nS8: Continuous Monitoring Management\nSection 8: Continuous Monitoring Management\n\nCheck one: (8.a, 8.b or 8.c)\n\n8.a. The agency has established an enterprise-wide continuous monitoring program that\nassesses the security state of information systems that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines. Although improvement\nopportunities may have been identified by OIG, the program includes the following\nattributes:\n\n\n83\n  A shared account is a set of users assigned to a security group. The security group is assigned appropriate\npermissions to access specific resources such as administrative functions. This simplifies administration so that\npermissions are assigned once to the group instead of multiple times to each individual user. When a user is added\nto an existing group, the user automatically assumes the rights and permissions assigned to that group.\n\n\n                                                                       AUDIT REPORT 50501-0002-12               43\n\x0c       8.a(1). Documented policies and procedures for continuous monitoring.\n       8.a(2). Documented strategy and plans for continuous monitoring.\n       8.a(3). Ongoing assessments of security controls (system-specific, hybrid, and\n       common) that have been performed based on the approved continuous monitoring\n       plans.\n       8.a(4). Provides authorizing officials and other key system officials with security\n       status reports covering updates to security plans and security assessment reports, as\n       well as POA&M additions and updates with the frequency defined in the strategy\n       and/or plans.\n\n8.b. The agency has established an enterprise-wide continuous monitoring program that\nassesses the security state of information systems. However, the agency needs to make\nsignificant improvements as noted below.\n\n8.c. The agency has not established a continuous monitoring program.\n\nIf 8.b. is checked above, check areas that need significant improvement:\n\n8.b(1). Continuous monitoring policy is not fully developed (NIST 800-53: CA-7). True\n\nThe Department did not have a continuous monitoring policy. The program is not scheduled for\nfull implementation until December 2011. In addition, we found all three agencies reviewed\nduring this audit did not have a fully developed continuous monitoring policy that met\nNIST SP 800-53 requirements.\n\n8.b(2). Continuous monitoring procedures are not fully developed (NIST 800-53: CA-7).\nTrue\n\nThe Department and the three agencies reviewed during this audit were not able to provide\nprocedures governing continuous monitoring. NIST SP 800-53 requires that organizations\nestablish a continuous monitoring strategy and implement a continuous monitoring program.\nThe program should include a configuration management process for the information system and\nits constituent components. It also requires a determination of the security impact of changes to\nthe information system and environment of operation.\n\n8.b(3). Continuous monitoring procedures are not consistently implemented\n(NIST 800-53: CA-7; 800-37 Rev. 1, Appendix G). True\n\nAs noted in 8.b(2), continuous monitoring procedures were not provided and therefore could not\nbe consistently implemented. The Department has stated it lacks the resources to implement\nrobust, enterprise-wide, continuous monitoring capabilities. As a result, the Department cannot\neffectively detect compliance and determine if security controls within an information system are\neffective.\n\n\n\n\n44     AUDIT REPORT 50501-0002-12\n\x0c8.b(4). Strategy or plan has not been fully developed for enterprise-wide continuous\nmonitoring (NIST 800-37 Rev. 1, Appendix G). True\n\nNIST SP 800-37 states that an organization should formulate a robust strategy or plan for entity-\nwide continuous monitoring. The plan should consist of a comprehensive governance structure\nand organization-wide risk management strategy, which includes the techniques and\nmethodologies the organization plans to employ to assess information system security risks. We\nfound the strategy and plans the Department provided for developing an entity-wide continuous\nmonitoring plan were in draft and are estimated to be completed by December 2011. Although\nthe plan has not been fully developed, during the year the Department deployed powerful\nmonitoring tools which, when fully operational, would be a large part of the continuous\nmonitoring program.\n\n8.b(5). Ongoing assessments of security controls (system-specific, hybrid, and common)\nhave not been performed (NIST 800-53, NIST 800-53A). True\n\nNIST SP 800-53 states that the organization will assess the security controls in an information\nsystem as part of the testing/evaluation process. We identified 48 of 257 systems in which\nongoing assessments of selected security controls had not been performed in FY 2011.\n\n8.b(6). The following were not provided to the authorizing official or other key system\nofficials: security status reports covering continuous monitoring results, updates to security\nplans, security assessment reports, and POA&Ms (NIST 800-53, NIST 800-53A). True\n\nWe found two of three agencies did not provide the system-authorizing official or other key\nsystem officials with security status reports covering continuous monitoring results, updates to\nsecurity plans, security assessment reports, and POA&Ms. This occurred because policies and\nprocedures had not been issued, and agencies were unaware that these documents should have\nbeen provided to the authorizing official.\n\n\nS9: Contingency Planning\nSection 9: Contingency Planning\n\nCheck one: (9.a, 9.b, or 9.c)\n\n9.a. The agency established and is maintaining an enterprise-wide business\ncontinuity/disaster recovery program that is consistent with FISMA requirements, OMB\npolicy, and applicable NIST guidelines. Although improvement opportunities may have\nbeen identified by OIG, the program includes the following attributes:\n        9.a(1). Documented business continuity and disaster recovery policy providing the\n        authority and guidance necessary to reduce the impact of a disruptive event or\n        disaster.\n        9.a(2). The agency has performed an overall Business Impact Analysis (BIA).\n        9.a(3). Development and documentation of division, component, and IT\n        infrastructure recovery strategies, plans and procedures.\n\n\n                                                            AUDIT REPORT 50501-0002-12            45\n\x0c           9.a(4). Testing of system-specific contingency plans.\n           9.a(5). The documented business continuity and disaster recovery plans are in place\n           and can be implemented when necessary.\n           9.a(6). Development of test, training, and exercise (TT&E) programs.\n           9.a(7). Performance of regular ongoing testing or exercising of business\n           continuity/disaster recovery plans to determine effectiveness and to maintain\n           current plans.\n\n9.b. The agency has established and is maintaining an enterprise-wide business\ncontinuity/disaster recovery program. However, the agency needs to make significant\nimprovements as noted below.\n\n9.c. The agency has not established a business continuity/disaster recovery program.\n\nIf 9.b. is checked above, check areas that need significant improvement:\n\n9.b(1). Contingency planning policy is not fully developed contingency planning policy is\nnot consistently implemented (NIST 800-53: CP-1). True\n\nNIST SP 800-53 states that the organization develops, disseminates, and reviews/updates a\nformal, documented contingency planning policy. We found that the Department's contingency\nplanning policy did not meet these requirements.84 For example, the policy did not address\nalternate telecommunications providers. This occurred because the Department\xe2\x80\x99s policy has not\nbeen updated with the new NIST SP 800-53 elements. We also found that of the 18 policies that\nOIG, independent contractors, and annual agency self-assessments reviewed, 5 did not meet\nthese requirements.\n\n9.b(2). Contingency planning procedures are not fully developed (NIST 800-53: CP-1).\nTrue\n\nWe found three of three agencies reviewed were following the Department's template for\ndeveloping contingency plans.85 However, our review found that the template did not contain all\nof the required NIST SP 800-53 elements. Specifically, it did not cover the need for alternate\ntelecommunications providers. This occurred because the Department\xe2\x80\x99s policy has not been\nupdated with the new NIST SP 800-53 elements. A total of 9 out of 17 systems failed to address\nalternate telecommunications providers because the element was not in the Department's\ntemplate.\n\n9.b(3). Contingency planning procedures are not consistently implemented\n(NIST 800-53; 800-34). True\n\nNIST SP 800-53 requires the agency to have formal, documented procedures to facilitate the\nimplementation of a contingency planning policy and associated contingency planning controls.\n\n84\n     DM 3570-001, Disaster Recovery and Business Resumption Plans (February 17, 2005).\n85\n     USDA Contingency Plan Template (March 2011).\n\n46         AUDIT REPORT 50501-0002-12\n\x0cWe found three of three agencies were not consistently implementing contingency planning\nprocedures. For example, two agencies were not backing up data, and one agency was not\ntesting its contingency plan as required.\n\n9.b(4). An overall business impact assessment (BIA) has not been performed\n(NIST SP 800-34). True\n\nNIST SP 800-34 states that conducting the BIA is a key element in a comprehensive information\nsystem contingency planning process.86 The Department's guide on developing contingency\nplans requires that a BIA is completed for each system. We found 2 of 17 systems did not have a\nBIA.\n\n9.b(5). Development of organization, component, or infrastructure recovery strategies and\nplans has not been accomplished (NIST SP 800-34). False\n\nNo exception noted.\n\n9.b(6). A business continuity/disaster recovery plan has not been developed (FCD1,\nNIST SP 800-34). False\n\nNo exception noted.\n\n9.b(7). A business continuity/disaster recovery plan has been developed, but not fully\nimplemented (FCD1, NIST SP 800-34). True\n\nNIST SP 800-53 requires the agency to have formal, documented procedures to facilitate the\nimplementation of its contingency planning policy and associated controls. We found that three\nof three agencies had developed business continuity/disaster recovery plans; however, one\nagency had not fully implemented the plan. The agency\xe2\x80\x99s contingency plan was in the process of\nbeing rewritten to reflect a major system change and was not completed by\nSeptember 30, 2011.87\n\n9.b(8). System contingency plans missing or incomplete (FCD1, NIST SP 800-34,\nNIST SP 800-53). True\n\nNIST SP 800-53 requires Federal agencies to develop a formal, documented contingency plan\nthat addresses purpose, scope, roles, responsibilities, management commitment, and coordination\namong organizational entities in planning controls. We identified that 10 of 17 systems had\n\n\n\n\n86\n     NIST SP 800-34, Contingency Planning Guide For Federal Information Systems, (May 2010).\n87\n     The application developers and the agency CIO did not see any reason to test an obsolete contingency plan.\n\n                                                                         AUDIT REPORT 50501-0002-12               47\n\x0cincomplete contingency plans.88 For example, nine plans failed to address alternate\ntelecommunication providers. Based on our sample results, for the 3 agencies, we estimate that\n22 systems (about 59 percent) had missing or incomplete contingency plans.89\n\nThis occurred because the plans utilized the template set forth by the Department which did not\nmeet NIST SP 800-53 standards. In one instance the contingency plan was being updated to the\nnew template. As a result of not having complete contingency plans, agency information\nsystems were at risk of not being able to restore mission critical and business operations in the\nevent of a disaster.\n\n9.b(9). Systems contingency plans are not tested (FCD1, NIST SP 800-34, NIST SP 800-53).\nTrue\n\nNIST SP 800-53 requires Federal agencies to test and exercise contingency plans for information\nsystems, using organization-defined tests or exercises. This is done to determine the plan\xe2\x80\x99s\neffectiveness, and the organization's readiness to execute the plan and initiate corrective actions.\nWe identified 33 of 257 systems for which USDA system contingency plans had not been tested\nduring FY 2011.\n\n9.b(10). Test, training, and exercise programs have not been developed (FCD1,\nNIST SP 800-34, NIST 800-53). True\n\nWe found one of the three agencies that OIG and independent contractors reviewed had not fully\ndeveloped training, testing, and exercise approaches.\n\n9.b(11). Test, training, and exercise programs have been developed, but are not fully\nimplemented (FCD1, NIST SP 800-34, NIST SP 800-53). True\n\nWe found that of the 18 agencies OIG, independent contractors, and annual agency self-\nassessments reviewed, 4 had not fully implemented training, testing, and exercise programs.\n\n9.b(12). After-action report did not address issues identified during contingency/disaster\nrecovery exercises (FCD1, NIST SP 800-34). True\n\nNIST SP 800-34 states that all recovery and reconstitution events should be well documented,\nincluding actions taken and problems encountered during recovery and reconstitution efforts. An\nafter-action report with lessons learned should be documented and updated. Our review found\n\n\n88\n   We selected a simple random sample of 25 contingency plans for review. Our simple random sample included at\nleast one contingency plan from each of the three selected agencies, so we did not use stratification. An expected\nerror rate of 100 percent was used. The achieved confidence intervals were wider than targeted in the design\nbecause only the first 17 system contingency plans were reviewed. All projections were made using the normal\napproximation to the binomial as reflected in standard equations for a simple random sample. Additional sample\ndesign information is presented in exhibit B.\n89\n   We are 95 percent confident that between 15 (40 percent) and 29 systems (78 percent) had missing or incomplete\ncontingency plans. Additional sample analysis information is presented in exhibit B.\n\n48      AUDIT REPORT 50501-0002-12\n\x0cthat 1 of 17 systems did not have an after-action report that addressed issues identified during the\ndisaster recovery exercise.\n\n9.b(13). Systems do not have alternate processing sites (FCD1, NIST SP 800-34,\nNIST SP 800-53). True\n\nNIST SP 800-53 requires alternate processing sites to be established for information systems in\ncase of a disaster. External contractors identified that one of five agencies did not have an\nalternate processing site established for information systems.\n\n9.b(14). Alternate processing sites are subject to the same risks as primary sites (FCD1,\nNIST SP 800-34, NIST SP 800-53). False\n\nNo exception noted.\n\n9.b(15). Backups of information are not performed in a timely manner (FCD1,\nNIST SP 800-34, NIST SP 800-53). True\n\nNIST SP 800-53 states that the organization should conduct user level, system level, and\ninformation system documentation backups. We found 3 of 17 systems that OIG reviewed were\nnot performing backups in a timely manner. For example, one agency could not find the system\non the network in order to start the backup. Based on the results of our statistical sample, we\nestimate that seven systems (about 18 percent) did not perform backups in a timely manner.90\n\n9.b(16). Backups are not appropriately tested (FCD1, NIST SP 800-34, NIST SP 800-53).\nTrue\n\nNIST SP 800-53 states that the organization should test backup information to verify media\nreliability and information integrity. We found that 5 of 17 systems had not performed regular\nbackup recovery tests.91 For example, one agency we reviewed did not include backup and\ntesting as part of its annual testing. Based on our sample results, we estimate that backups for 11\nsystems in our audit universe (about 29 percent) were not appropriately tested.92\n\n9.b(17). Backups are not properly secured and protected (FCD1, NIST SP 800-34,\nNIST SP 800-53). True\n\nNIST SP 800-53 states that the organization should protect the confidentiality and integrity of\nbackup information at the storage location. OIG and the agency annual self-assessments found 2\nof 13 agencies were not properly securing and protecting backups. For example, one agency was\nnot aware that they were required to document and track weekly backup tapes.\n\n\n90\n   We are 95 percent confident that backups for up to 12 systems (33 percent) were not performed in a timely\nmanner. Additional sample analysis information is presented in exhibit B.\n91\n   Regular is considered to be at least annually during the contingency plan testing.\n92\n   We are 95 percent confident that up to 17 systems\xe2\x80\x99 backups (47 percent) were not appropriately tested. Details of\nthis design and additional sample analysis information are presented in exhibit B.\n\n                                                                       AUDIT REPORT 50501-0002-12               49\n\x0c9.b(18). Contingency planning does not consider supply chain threats. False\n\nNo exception noted.\n\n\nS10: Contractor Systems\nSection 10: Contractor Systems\n\nCheck one: (10.a, 10.b or 10.c)\n\n10.a. The agency has established and maintains a program to oversee systems operated on\nits behalf by contractors or other entities, including agency systems and services residing in\nthe cloud external to the agency. Although improvement opportunities may have been\nidentified by OIG, the program includes the following attributes:\n        10.a(1). Documented policies and procedures for information security oversight of\n        systems operated on the agency's behalf by contractors or other entities, including\n        agency systems and services residing in public cloud.\n        10.a(2). The agency obtains sufficient assurance that security controls of such\n        systems and services are effectively implemented and comply with federal and\n        agency guidelines.\n        10.a(3). A complete inventory of systems operated on the agency's behalf by\n        contractors or other entities, including agency systems and services residing in\n        public cloud.\n        10.a(4). The inventory identifies interfaces between these systems and agency-\n        operated systems.\n        10.a(5). The agency requires appropriate agreements (e.g., MOUs, Interconnection\n        Security Agreements, contracts, etc.) for interfaces between these systems and those\n        that it owns and operates.\n        10.a(6). The inventory of contractor systems is updated at least annually.\n        10.a(7). Systems that are owned or operated by contractors or entities, including\n        agency systems and services residing in public cloud, are compliant with FISMA\n        requirements, OMB policy, and applicable NIST guidelines.\n\n10.b. The agency has established and maintains a program to oversee systems operated on\nits behalf by contractors or other entities, including agency systems and services residing in\npublic cloud. However, the agency needs to make significant improvements as noted below.\n\n10.c. The agency does not have a program to oversee systems operated on its behalf by\ncontractors or other entities, including agency systems and services residing in public\ncloud.\n\nIf 10.b. is checked above, check areas that need significant improvement:\n\n\n\n\n50     AUDIT REPORT 50501-0002-12\n\x0c10.b(1). Policies to oversee systems operated on the agency's behalf by contractors or other\nentities, including agency systems and services residing in public cloud, are not fully\ndeveloped. True\n\nWe found the Department did not have a policy to oversee systems operated on the agency\xe2\x80\x99s\nbehalf by contractors or other entities. The Department is in the process of drafting a memo on\noverseeing contractors\xe2\x80\x99 systems.\n\n10.b(2). Procedures to oversee systems operated on the agency's behalf by contractors or\nother entities, including agency systems and services residing in public cloud, are not fully\ndeveloped. True\n\nWe found the Department did not have procedures to oversee systems operated on the agency\xe2\x80\x99s\nbehalf by contractors or other entities. The Department stated that the agencies were responsible\nfor developing their own procedures. We found that two of three agencies we reviewed had not\ndeveloped procedures and the remaining agency\xe2\x80\x99s procedures were not sufficiently detailed.\n\n10.b(3). Procedures to oversee systems operated on the agency's behalf by contractors or\nother entities, including agency systems and services residing in public cloud, are not\nconsistently implemented. True\n\nAs noted in 10.b(2), neither the Department nor the agencies reviewed had procedures that were\nadequate; therefore, there is no basis to evaluate consistent implementation.\n\n10.b(4). The inventory of systems owned or operated by contractors or other entities,\nincluding agency systems and services residing in public cloud, is not complete in\naccordance with government policies (NIST 800-53: PM-5). True\n\nThe Department did not have an accurate inventory of contractor systems for all agencies.\nDuring the FY 2009 and FY 2010 FISMA audit, we identified systems which should have been\ndesignated as contractor systems. In response, the Department stated that it would review the\nsystems and change the designation to contractor systems, if appropriate. During this year\xe2\x80\x99s\naudit, we found seven systems were still not included in the inventory of contractor systems.\nThis occurred because there were no policies, or procedures, for the oversight of contractor\nsystems.\n\nOIG also found that the Department\xe2\x80\x99s new cloud email service was not included in the official\nUSDA inventory and was not designated as a contractor system.\n\n10.b(5). The inventory does not identify interfaces between contractor/entity-operated\nsystems to agency owned and operated systems. True\n\nFISMA requires the Department to maintain an inventory of information systems, including an\nidentification of the interfaces between each system, and all other systems or networks, including\n\n\n\n\n                                                            AUDIT REPORT 50501-0002-12        51\n\x0cthose not operated by, or under the control of, the agency.93 We found agencies were not\nmaintaining an accurate inventory of interfaces. We reviewed 18 SSPs and then compared the\nlist of interfaces to those documented in CSAM. We found that all 18 systems incorrectly\nreported interconnections to other systems not operated by the agency (i.e. contractors\xe2\x80\x99 systems).\nAgencies were responsible for accurately documenting interface data in CSAM, but failed to\naccount for all interconnections. Since interfaces allow for the exchange of data between two\nsystems, it is important that security controls in each interconnected system accurately reflect the\nrisk of inadvertent information disclosure. Without proper documentation and testing of those\ninterfaces, the confidentiality, integrity, and availability of the exchanged data could be\ncompromised without discovery.\n\n10.b(6). The inventory of contractor/entity-operated systems, including interfaces, is not\nupdated at least annually. True\n\nNIST specifies that organizations should review security controls for interconnection at least\nannually, or whenever a significant change occurs, to ensure they are operating properly and are\nproviding appropriate levels of protection.94 As noted in 10.b(4), the Department did not update\nits inventory of contractor systems in FY 2011. In addition, as noted in 10.b(5), we found that\nthe Department had not identified all interfaces.\n\n10.b(7). Systems owned or operated by contractors and entities are not subject to NIST\nand OMB's FISMA requirements (e.g., security requirements). False\n\nNo exception noted. We reviewed the contract executed between USDA and its cloud email\nservices vendor and determined that the executed agreement included clauses requiring the\ncontractor to adhere to NIST and FISMA requirements.\n\n10.b(8). Systems owned or operated by contractors and entities do not meet NIST and\nOMB\xe2\x80\x99s FISMA requirements (e.g., security requirements). True\n\nWe found 18 of 18 contractor systems had not been updated in accordance with government\npolicies, and did not meet NIST SP 800-53 and OMB's FISMA requirements.95 In addition, OIG\nperformed physical and environmental control reviews at the cloud email contractor\xe2\x80\x99s primary\nand backup data center. We found all reviewed controls in place and operating effectively.\n\n10.b(9). Interface agreements (e.g., MOUs) are not properly documented, authorized, or\nmaintained. True\n\nWe found the Department did not maintain an inventory of interface agreements.\nNIST SP 800-47 states that a Memorandum of Understanding (MOU) defines the responsibilities\nof the participating organizations, and that the joint planning team should identify and examine\n\n\n93\n   FISMA of 2002, Title III, Information Security (December 17, 2002).\n94\n   NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems (August 2002).\n95\n   OMB M 11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management (September 14, 2011).\n\n52      AUDIT REPORT 50501-0002-12\n\x0call relevant technical, security, and administrative issues surrounding the proposed\ninterconnection. This information may be used to develop an Interconnection Security\nAgreement (ISA) and/or an MOU (or an equivalent document). Specifically, we found 17 of the\n18 systems reviewed during this audit did not have the required MOU/ISA.\n\n\nS11: Security Capital Planning\nSection 11: Security Capital Planning\n\nCheck one: (11.a, 11.b or 11.c)\n\n11.a. The agency has established and maintains a security capital planning and investment\nprogram for information security. Although improvement opportunities may have been\nidentified by OIG, the program includes the following attributes:\n\n11.a(1). Documented policies and procedures to address information security in the capital\nplanning and investment control process. False\n\nWe reviewed capital planning policies and procedures at the Department and agencies to\ndetermine if all critical elements were included in the documents.96 We determined that the\npolicy and procedures at the Department and agency levels included all required criteria for the\ncapital planning process with one exception. One of seven criteria required by OMB and NIST\nguidance was not included in the Departmental guidance.97 Specifically, the policy lacked a\ndescription of what constitutes a major IT investment according to the capital planning process.\nThis occurred because the Capital Planning Division was not aware the criterion needed to be\nincluded in the Departmental policy.\n\n11.a(2). Includes information security requirements as part of the capital planning and\ninvestment process. True\n\nNo exception noted.\n\n11.a(3). Establishes a discrete line item for information security in organizational\nprogramming and documentation. True\n\nNo exception noted.\n\n\n\n\n96\n   Capital Planning and Investment Control (CPIC) is a systematic approach to selecting, managing, and evaluating\ninformation technology investments, which is mandated by the Clinger Cohen Act of 1996 and requires federal\nagencies to focus more on the results achieved through IT investments while streamlining the federal IT\nprocurement process (www.ocio.usda.gov/cpic/index.html).\n97\n   OMB A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets (July 2010); NIST SP\n800-65, Integrating IT Security into the Capital Planning and Investment Control Process (January 2005); DM\n3560-000, Capital Planning & Investment Control (CPIC) for Security Table of Content (February 17, 2005); and\nDM 3560-001, Security Requirements for CPIC (February 17, 2005).\n\n                                                                      AUDIT REPORT 50501-0002-12               53\n\x0c11.a(4). Employs a business case/Exhibit 300/Exhibit 53 to record the information security\nresources required. True\n\nNo exception noted.\n\n11.a(5). Ensures that information security resources are available for expenditure as\nplanned. True\n\nNo exception noted.\n\n11.b. The agency has established and maintains a capital planning and investment\nprogram. However, the agency needs to make significant improvements as noted below.\n\n11.c. The agency does not have a capital planning and investment program.\n\nIf 11.b. is checked above, check areas that need significant improvement:\n\n11.b(1). CPIC information security policy is not fully developed.\n11.b(2). CPIC information security procedures are not fully developed.\n11.b(3). CPIC information security procedures are not consistently implemented.\n11.b(4). The agency does not adequately plan for IT security during the CPIC process (SP\n800-65).\n11.b(5). The agency does not include a separate line for information security in\nappropriate documentation (NIST 800-53: SA-2).\n11.b(6). Exhibits 300/53 or business cases do not adequately address or identify\ninformation security costs (NIST 800-53: PM-3).\n11.b(7). The agency does not provide IT security funding to maintain the security levels\nidentified.\n\n\n\n\n54    AUDIT REPORT 50501-0002-12\n\x0cExhibit B: Sampling Methodology and Projections: Audit Number\n50501-0002-12 FISMA FY2011\nObjective:\nThis sample was designed to support OIG audit number 50501-0002-12. The objective of this\naudit was to evaluate the status of USDA\xe2\x80\x99s overall IT security program based on the following\noverarching criteria:\n   \xc2\xb7   Effectiveness of the Department\xe2\x80\x99s oversight of agencies\xe2\x80\x99 IT security programs, and\n       compliance with FISMA;\n   \xc2\xb7   Agencies\xe2\x80\x99 system of internal controls over IT assets;\n   \xc2\xb7   Department\xe2\x80\x99s progress in establishing a Departmentwide security program, which\n       includes effective certifications and accreditations;\n   \xc2\xb7   Agencies\xe2\x80\x99 and Department\xe2\x80\x99s plan of action and milestones (POA&M) consolidation and\n       reporting process; and\n   \xc2\xb7   Effectiveness of controls over configuration management, incident response, IT training,\n       remote access management, identity and access management, continuous monitoring,\n       contingency planning, contractor systems and capital planning.\n\nFISMA Audit Universes and Sample Designs:\nFISMA contains multiple areas pertaining to various areas of IT security. We incorporated\nstatistical sampling in four FISMA areas. Each of those areas was represented by a different\nuniverse. The specific designs are summarized below for each of the four audit areas.\n\n1. Incident Response and Reporting\n\nUniverse:\nThe audit universe consisted of 1,473 incidents reported for FY 2011 as of May 31, 2011. Each\nincident had a unique identifier (incident number) and was categorized based on incident type\ninto 1 of 9 categories. A listing and counts of the different categories are presented in the sample\ndesign section below.\n\nSample Design:\nEach category has specific procedures and timelines that must be met by OCIO and the agency.\nWhile standards differ among the categories, the standards fall into four common groups:\nchecklist requirements, reporting requirements, timely resolution, and damage containment.\nThus, each incident response can be assessed as \xe2\x80\x9cpass\xe2\x80\x9d or \xe2\x80\x9cfail\xe2\x80\x9d when compared to the criteria\nthat apply specifically to that incident type. This allowed us to combine incident response\nperformance results (pass or fail) for the mix of incident types.\n\nWe selected a stratified design of 66 incidents. We had two incident types with only one\ninstance each and we wanted to ensure those two incidents were examined. Therefore, Stratum 1\nis a census stratum of those two incidents; their outcomes are counted in the results but do not\nproject to other incident types.\n\n                                                              AUDIT REPORT 50501-0002-12         55\n\x0cBecause we are not making individual category projections, we placed all other incident\ncategories, containing a total of 1,471 incidents, into Stratum 2. For Stratum 2, the sample size\nof 64 incidents was based on an error rate of about 20 percent and a desired absolute precision of\n+/-10 percent of the audit universe, when reporting a 95 percent confidence level.\n\nThe resulting sample design is summarized in the table below, with two incidents in Stratum 1\nand 64 incidents selected with equal probability of selections in Stratum 2; universe counts are\nalso provided in the table.\n\nTable 1: Incidents universe and sample counts by category\n\n Stratum                            Incident Type                          Universe   Sample\n          1   USCERT CAT2 - Denial of Service (DoS) Count                        1          1\n          1   USDA CAT7 - Spam Count                                             1          1\n          2   USCERT CAT1 - Unauthorized Access Count                           22          1\n          2   USCERT CAT3 - Malicious Code Count                               612        28\n          2   USCERT CAT4 - Improper Usage Count                                69          3\n          2   USCERT CAT5 - Scans/Probes/Attempted Access Count                 90          5\n          2   USCERT CAT6 - Investigation Count                                236        10\n          2   USDA CAT8 (USCERT CAT1) - Loss, Theft, Missing Count             271          8\n          2   USDA CAT9 - Block List Count                                     171          9\n                                                                  Total:      1473        66\n\n\nResults:\nResults are projected to the audit universe of 1,473 incidents. Achieved precision, relative to the\nuniverse of 1,473 incidents, is reflected by the confidence interval for a 95 percent confidence\nlevel. All projections are made using the normal approximation to the binomial as reflected in\nstandard equations for a stratified sample.98\n\nProjections are shown in Table 2. Narrative interpretation of the results is presented below the\ntable.\n\n\n\n\n98\n     Scheaffer, Mendenhall, Ott, Elementary Survey Sampling, Fourth Edition (Chapter 5), Duxbury Press, c1990.\n\n56         AUDIT REPORT 50501-0002-12\n\x0cTable 2: Incident Response and Reporting Projections\n\n                                                        95% Confidence\n                                                           Interval                                       Actual\n                                 Estimate\n                                                                           Coefficient                 number of\n                                of number    Standard                                     Achieved\n         Criterion tested           of         Error\n                                                                               of\n                                                                                         precision99\n                                                                                                       exceptions\n                                                                            Variation                   observed\n                                exceptions              Lower     Upper\n                                                                                                        in sample\n\n\n Not all checklists completed         139     52.831        33       244         .380           7%             7\n as required by SOP\n Incidents were not reported          115     48.642        18       212         .423           7%             5\n to US-CERT as required\n Incidents were not resolved          138     52.831        32       243         .383           7%             6\n in a timely manner\n Incidents were not resolved          322     74.929       172       471         .233          10%            14\n to minimize further damage\n\n\nBased on our sample results:\n     \xc2\xb7     We estimate that 139 incidents (about 9.4 percent of the audit universe) had incomplete\n           checklists. We are 95 percent confident that between 33 (2.2 percent) and 244\n           (16.7 percent) incidents in the audit universe are non-compliant with this criterion.\n     \xc2\xb7     We estimate that 115 incidents (about 7.8 percent of the audit universe) were not reported\n           to US-CERT as required. We are 95 percent confident that between 18 (1.2 percent) and\n           212 (14.4 percent) incidents in the audit universe are non-compliant with this criterion.\n     \xc2\xb7     We estimate that 138 incidents (about 9.3 percent of the audit universe) were not resolved\n           in a timely manner. We are 95 percent confident that between 32 (2.2 percent) and 243\n           (16.5 percent) incidents in the audit universe are non-compliant with this criterion.\n     \xc2\xb7     We estimate that 322 incidents (21.9 percent) were not resolved to minimize further\n           damage. We are 95 percent confident that between 172 (11.7 percent) and 471\n           (32 percent) incidents in the audit universe are non-compliant with this criterion\n\n2. POA&Ms\n     Open POA&Ms\nUniverse:\nThe universe of open POA&Ms consisted of 2,094 POA&Ms.\n\nSample Design:\nWe based our sample size on a 50 percent error rate and desired absolute precision of\n+/10 percent, at the 95 percent confidence level. With these assumptions, we calculated a sample\nsize of 93 POA&Ms for review. We noted that this sample size would also be adequate for a 1\n\n\n\n99\n  Achieved precision equals one-half the difference between the lower bound and the upper bound of the confidence\ninterval. For example, (244 \xe2\x80\x93 33) / 2 = 105.5. Expressed as a fraction of the universe, this is 105.5 / 1473 = 7.16\npercent.\n\n                                                                      AUDIT REPORT 50501-0002-12                57\n\x0cpercent error rate and a tolerable upper limit of 5 percent at the 95 percent confidence level. We\nselected a simple random sample of 93 POA&Ms for review.\n\nResults:\nResults for all criteria are projected to the audit universe of 2,094 POA&Ms. Achieved precision\nrelative to the audit universe is reported for each criterion. The corresponding lower and upper\nbounds of the 95 percent confidence interval are also included. All projections are made using\nthe normal approximation to the binomial as reflected in standard equations for a simple random\nsample.100\n\nProjections are shown in Table 3. Narrative interpretation of the results can be found below the\ntable.\n\nTable 3: Open POA&M Projections\n\n                                                          95% Confidence                                 Actual\n                                Estimate                     Interval       Coefficient               number of\n                               of number      Standard                                    Achieved\n       Criterion tested                                                         of                    exceptions\n                                   of           Error                                     Precision\n                                                         Lower      Upper    Variation                 observed\n                               exceptions\n                                                                                                       in sample\n\n Source of weakness\n                                   721        100.672     519        922      0.140         10%          32\n not tracked\n Not appropriately\n                                   901        104.901     691       1,110     0.116         10%          40\n prioritized\n Not updated in a\n                                   338         77.925     182        494      0.231          7%          15\n timely manner\n Milestone dates not\n                                  1,464        97.192    1,269      1,658     0.066          9%          65\n adhered to\n\n\nBased on our sample results:\n       \xc2\xb7    We estimate that for 721 (about 34 percent of the universe) open POA&Ms in our\n            universe, the identified source of weakness was not tracked. We are 95% confident that\n            between 519 (25 percent) and 922 (44 percent) incidents in the audit universe are non-\n            compliant with this criterion.\n       \xc2\xb7    We estimate that 901 (about 43 percent of the universe) open POA&Ms in our universe\n            were not appropriately prioritized. We are 95% confident that between 691 (33 percent)\n            and 1,110 (53 percent) incidents in the audit universe are non-compliant with this\n            criterion.\n       \xc2\xb7    We estimate that 338 (about 16 percent of the universe) open POA&Ms in our universe\n            were not updated in a timely manner. We are 95 percent confident that between 182\n            (9 percent) and 494 (24 percent) incidents in the audit universe are non-compliant with\n            this criterion.\n\n\n\n100\n      Op. cit., Scheaffer et al. Chapter 4.\n\n58          AUDIT REPORT 50501-0002-12\n\x0c       \xc2\xb7      We estimate that for 1,464 (about 70 percent of the universe) open POA&Ms in our\n              universe, milestone dates were not adhered to. We are 95 percent confident that between\n              1,269 (61 percent) and 1,658 (79 percent) incidents in the audit universe are non-\n              compliant with this criterion.\n\n       Closed POA&Ms\n\nUniverse:\nThe universe of closed POA&Ms consisted of 1,023 closed POA&Ms.\n\nSample Design:\nBased on observations from prior year non-statistical samples, we based our sample size on a\n\xe2\x80\x9cmoderate error rate\xe2\x80\x9d scenario: a 30 percent error rate and +/10 percent precision at the\n95 percent confidence level. With these assumptions, we calculated a sample size of 76 closed\nPOA&Ms for review. We noted that this sample size would also be reasonable for a 1 percent\nerror rate and a tolerable upper limit of 5 to 6 percent at the 95 percent confidence level.\n\nWe selected a simple random sample of 76 POA&Ms for review and identified a possible stop-\nor-go decision once the first 43 POA&Ms were reviewed.\n\nResults:\nResults are projected to the universe of 1,023 closed POA&Ms. Achieved precision relative to\nthe universe is reported for each criterion. The corresponding lower and upper bounds of the\n95 percent confidence interval are also included. All projections are made using the normal\napproximation to the binomial as reflected in standard equations for a simple random sample.101\n\nProjections are shown in Table 4. Narrative interpretation of the results can be found below the\ntable.\n\nTable 4: Closed POA&M Projections\n\n                                                    95% Confidence                                  Actual\n                           Estimate                    Interval                                  number of\n                          of number                                    Coefficient               exceptions\n                              of       Standard                            of        Achieved     observed\n      Criterion tested    exceptions     Error    Lower       Upper     Variation    Precision    in sample\n Closed POA&Ms\n did not have\n remediation actions\n to sufficiently             190        60.122      69         312        .316         12%           8\n address the\n identified\n weaknesses\n\n\n\n\n101\n      Ibid.\n\n\n                                                                 AUDIT REPORT 50501-0002-12           59\n\x0cBased on our sample results, we estimate that for 190 (about 19 percent of the universe) closed\nPOA&Ms in the universe, remediation actions did not sufficiently address weaknesses. We are\n95 percent confident that between 69 (7 percent) and 312 (30 percent) incidents in the universe\nare non-compliant with this criterion.\n\n3. System / Contingency Planning\n\nUniverse:\nOur universe consisted of all FISMA reportable systems for the three agencies reviewed as of\nAugust 2, 2011. Each system is to have a contingency plan that contains very specific recovery\ninformation for the agency in the event of a disaster.\n\nSample Design:\nWe selected a simple random sample of 25 contingency plans for review. For a 95 percent\nconfidence level, this sample size was adequate for a range of potential outcomes: from a\n0 percent exception rate with a 5 percent upper limit to a 30 percent error rate with +/-10 percent\nprecision. Our simple random sample included at least one contingency plan from each agency,\nso we did not use stratification.\n\nResults:\nThe audit team reviewed the first 17 system contingency plans selected in the sample. Results\nare projected to the audit universe of 37 systems. Achieved precision relative to the universe is\nreported for each criterion. The corresponding lower and upper bounds of the 95 percent\nconfidence interval are also included. The achieved confidence intervals were wider than\ntargeted in the design because the review was terminated once the first 17 system contingency\nplans were reviewed. For two criteria, the lower bound was lower than the number of exceptions\nobserved in the sample. All projections are made using the normal approximation to the\nbinomial as reflected in standard equations for a simple random sample.102\n\nProjections are shown in Table 5. Narrative interpretation of the results can be found below the\ntable.\n\n\n\n\n102\n      Ibid.\n\n60            AUDIT REPORT 50501-0002-12\n\x0cTable 5: System / Contingency Planning Projections\n\n                              Estimate                   95%                                   Actual number\n                                                      Confidence     Coefficient\n                             of number    Standard                                 Achieved    of exceptions\n        Criterion tested         of         Error      Interval          of\n                                                                                   Precision    observed in\n                                                                      Variation\n                             exceptions                                                            sample\n                                                     Lower   Upper\n The system contingency\n plans are missing or           22         3.347      15      29        .154         19%            10\n incomplete.\n The system backups are\n not performed in a timely       7         2.593       1      12        .397         15%            3\n manner.\n\n The system backups are\n                                11         3.099       4      17        .285         18%            5\n not appropriately tested.\n\n\n\nBased on our sample results:\n    \xc2\xb7     We estimate that 22 (about 59 percent of the universe) systems in our universe had\n          missing or incomplete contingency plans. We are 95 percent confident that between 15\n          (40 percent) and 29 systems (78 percent) are non-compliant with this criterion.\n    \xc2\xb7     We estimate that for 7 (about 18 percent of the universe) systems in our universe,\n          backups were not performed in a timely manner. We are 95 percent confident that up to\n          12 (33 percent) systems are non-compliant with this criterion.\n    \xc2\xb7     We estimate that for 11 systems (about 29 percent of the universe) in our universe,\n          backups were not appropriately tested. We are 95 percent confident that up to 17\n          (47 percent) systems are non-compliant with this criterion.\n\n4. Authority to Operate (ATO) Recertification\n\nUniverse:\nOur universe consisted of 55 FISMA reportable systems requiring ATO recertification in FY11.\nThese were systems which had not been retired and for which the certification expired in FY11.\nAttributes to be tested pertained to System Security Plans, Risk Assessments, and Security\nAssessment Reports.\n\nSample Design:\nWe selected a simple random sample of 25 systems for review, which would satisfy various\npossible combinations of error rates, confidence level, and precision. We also provided for a\nstop-or-go decision, in which a \xe2\x80\x9cstop\xe2\x80\x9d decision for a particular criterion could be based on the\nfirst 10 to 15 plans selected, if the review was resulting in all selections having an exception.\nResults:\nBecause the review was producing an extremely high error rate, we made projections after 12\nreportable systems were reviewed for the first criterion and after the first 10 reportable systems\nwere reviewed for the remaining two criteria. For the latter two criteria, the smaller sample\n\n\n                                                               AUDIT REPORT 50501-0002-12           61\n\x0cresulted in a slight loss of precision overall, but the lower limit on the projection is still very\nhigh. All results below are projected to the universe of 55 reportable system certifications.\n\nTable 6: ATO Recertification Projections\n                                             Estimate     Lower Error Limit     Actual number of\n                                  Sample    of number        at 95% CL             exceptions\n         Criterion Tested\n                                   Size         of                                observed in\n                                            exceptions    [number / fraction]        sample\n Were System Security Plans\n (SSP) adequate?                    12          55            44 / 80.3%              12\n Did Systems SARs reviewed\n meet the minimum security\n requirements required by NIST?     10          55            42 / 76.4%              10\n Were risk assessments\n conducted in accordance with\n government policies?               10          55            42 / 76.4%              10\n\n\n\nBased on our sample results:\n     \xc2\xb7   We estimate that all 55 SSPs are inadequate. We are 95 percent confident that at least\n         80.3 percent of the SSPs in the universe are inadequate.\n     \xc2\xb7   We estimate that all 55 SARs fail to meet the minimum NIST security requirements. We\n         are 95 percent confident that at least 76.3 percent of systems in our universe failed to\n         meet the minimum NIST requirements.\n     \xc2\xb7   We estimate that none of the 55 risk assessments were conducted in accordance with\n         government policies. We are 95 percent confident that at least 76.3 percent of the risk\n         assessments in our universe were not conducted in accordance with government policies.\n\n\n\n\n62       AUDIT REPORT 50501-0002-12\n\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\nHow To Report Suspected Wrongdoing in USDA Programs\n\nFraud, Waste, and Abuse\nIn Washington, DC 202-690-1622\nOutside DC 800-424-9121\nTDD (Call Collect) 202-690-1202\n\nBribes or Gratuities\n202-720-7257 (Monday\xe2\x80\x93Friday, 9:00 a.m.\xe2\x80\x93 3 p.m. ET)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on the basis of race, color, national origin,\nage, disability, and where applicable, sex (including gender identity and expression), marital status, familial status, parental status, religion, sexual\norientation, political beliefs, genetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public assistance program.\n(Not all prohibited bases apply to all programs.) Persons with disabilities who require alternative means for communication of program information\n(Braille, large print, audiotape, etc.) should contact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD). USDA is an equal opportunity provider\nand employer.\n\x0c"